[TriLUG] [Maybe OT]: SSL certificates

[Joseph Tate]

Tanner Lovelace wrote:

> Jon Carnes wrote:
>
> | Cool beans!  Do you do sign other folks web/mail certs?  (Assuming they
> | are members in good standing, of course)
> |
> | It would be good to have an Open Source CA for use in the community.
>
> Honestly, this is the first time the question has come up.  I don't
> have any fundamental objections to signing other web/mail certs, but
> we should probably have a good discussion about it beforehand.
> One thing I just thought of was something someone suggested to me
> today.  Right now, the CA is just on moya.trilug.org.  If, for some
> reason, moya was compromised, that could be bad news for the CA.
> The suggestion was that some of us who are well connected in the
> TriLUG web of trust should sign the TriLUG CA certificate.  Hmm..
> thinking that through more, that would help people decide that
> the CA was good, but if there was a compromise the CA could still be
> used to sign someone's cert, so perhaps we should move the CA off
> a computer that's connected to the net?
>
> I'd like to hear what other people have to say.


At the very least you should verify
A) that the person is who they say they are.  (2 forms of ID)
B) That the person owns the domain that they are registering the 
certificate for.  (WHOIS should be sufficient)
C) If they do not own the domain, (i.e. if it's registered to a company) 
then they have the right to request the certificate in behalf of that 
company, and that the company is a legal entity.

Then draw up some sudo legalese saying:  We do not guarantee this 
certificate, but we certify that at the time of its issuance it was 
issued in good faith that the person was who they said they were.

Verasign, Geotrust and Thawte offer guarantees with their certificates 
as insurance of the data.  Trilug should not be expected to offer the 
same kinds of services.

Joseph