Background
CAcert uses roots as described at Structure of Roots and many other places. Because the existing roots have been deemed to be Audit Fail here, we have to create new ones. This then means we need these things:
- technical organisation of roots:
Roots/Structure describes the hierarchy and relationship between the roots
Roots/Contents describes the internal fields in each Roots.
- ceremony for creation of root (s)
Roots/CreationCeremony is open as a place to develop this need
- storage securely on signing server
- escrow root securely for disaster recovery
Note that as we decide on the way to do this, the process should be transferred to the wip CPS and the wip Security Manual. These pages are the works-in-progress of the New Roots Task Force.
Proposals
- Creation an offine root to be stored securely (eg board controlled safety deposit box)
- Creation of sub-roots for different CAcert functions:
- Web of Trust (eg CAP)
- Remote Assurance (eg RAP)
- Organisation Assurance (eg OAP)
- Creation of sub-roots for assured organisations (from which they can issue certificates)