-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Am 17.05.2015 um 06:52 schrieb Christian Felsing: > Hi, > > I am wondering, if CAcert would offer CA solutions to handle this > type of "special" applications. I can imagine a sub CA which offers > a web service (authenticated by a specific client certificate) to > sign server certificates for that purpose. > The server certificates issued by CAcert already include the XMPP server name extensions in the SANs of the certificate as well as the necessary purpose flags to use them as client certificates. That way they can be used for authenticating servers to each other (cf. Debian BTS #747453).
In fact: I'm using CAcert certificates on my server nearly exclusively (except for the SKS PKI). The problem with the SKS PKI is the missing CRL/OCSP infrastructure, which we should strongly encourage Kristian to set up ASAP if he wants to maintain his own root. That's something CAcert COULD provide as part of an (special kind of) Organization Assurance in a new Policy (maybe in a new subroot), BUT CAcert has a quite strong stance on not allowing subroots that are not maintained by us. Also the way Organization Assurance is implemented right now you won't get domains outside your organization included in certificates. But this limitation could be resolved with a CPS change introducing support for HA server pools - which might be of interest outside the SKS pool. > Christian > > > Am 16.05.2015 um 23:36 schrieb Benny Baumann: >> Which lead to the situation that I specifically need to disable >> OCSP stapling in my nginx for those 3 domains. > Kind regards, Benny Baumann CAcert SoftWare Assessment Team CAcert OpenPGP SKS Admin Team* CAcert Infrastructure Team *Yes, CAcert has its own SKS server. It's part of the normal network, but we asked Kristian to not include it in the pool (for reasons). -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVWFY+AAoJEPHTXLno4S6tz2wQAKhvO6gysVpSfkP9b2e4pu2d mA5yhu2BgSzRoQSOgzlGU/XLY4kZ8whnUujDBbwKcRWggkhkpTJw3D07oWCfnaxd T/YnrQEQQKLlbvX2jDEN19CEYLMutNwhAptw4RPh0fef3s24Gb4Dog1J3YAP2PF1 hogjbU4afN/TgCS9dSdRIaGgFzaW7agnRC8ZMZWS1MveVb9rx75AFqNjG6skRQq7 V3NE/fZIEH7LEmzvEF2yqYdtI9J6DA0Jp4zQhO+9fkLnX2p7gZsZVTFTvTgmW/Rr N6MCWEnPC/442NAWtCRiZU1V19DyQS5FU5t/kHf027up8CqSiJ/X2G3VOyk1weMS 5ffPnlSx7SsQFpz8v//iVawe7IcIIJnUTW2h5dyvHL9yIZNyyDh8oOoX+n8DRrrY ODevgXSPqkVNs8nhiN5rmbdoSOibr9CXNLV1/CkpYNsdBpBo5EJKwR0uYTyCEyIJ XzzK24fNTrKaS0PCz5MSGnvYLxfIpqWYR1zAlf55sgSDy/aZVXKeYU1dFoHoKKM4 w5wlUSlPjfiNlvhYwiphvPxVFNhItSSVYmRMWXwiTNcfAFoiHkDHKo2qanINfUgw piVKNvaDq1fhOxicNsAPUZpRJ4UhcYxVVV/tiXy+9EiiS3eI/p5YU5EK0z5BrM/s 0Pc3DRx/ZcVyzkcX5erS =Qk/y -----END PGP SIGNATURE----- _______________________________________________ Sks-devel mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/sks-devel
