Policy-Discussion

[SK <sk.list AT gmail.com>]

Opps. Forgot to CC to the mailing list.. 


---------- Forwarded message ----------
From: SK 
<sk.list AT gmail.com>
Date: Mon, 7 Mar 2005 16:06:44 +0100
Subject: Re: [CAcert-Policy] Want to help
To: 
pg AT futureware.at


Hi Philipp,

I have a couple of questions regarding the policy dfrat at
http://www.futureware.at/cacert/cacert/policy.htm

This is the first time I am reviewing a policy of this kind so please
let me know if I am barking over things unnecessarily :)

Section 1.3 - Why are two sentences required? Isn't the first sentence
a subset of the second?

section 1.3.3 - Did you mean "Personal CA"?

section 1.5.4 - "evidence to to so" Do we need to specify what
constitutes "evidence"?

section 3.1.5 - Do we (need or do) check the uniqueness of names of
user? Why is this needed? If there are two people by the same name,
what prevents them from using their name? I guess this clause becomes
inportant in the context of certificates for Organisations and
Institutions. But then as long as the institution produces documentary
prrof that they are wjo they they say they are, it means that the
govermnent body incharge of the registering the insitution was ok with
the name - so should we bother?

section 3.2.5 - Do we support ping to email address in the whois
database? As far as I know, we do not. Even if we plan to support that
feature, we still neeed to decide which email address to honor.
Billing as well as technical address may not be the actual owner of a
domain. Shouldnt we restrict it to the admin part of whois? This is
what is stated in section 4.2.1 incidentally.

section 3.3 - what is "re-key requests"?

section 4.2.3 - "less than a minute" - are we providing any kind of
guarantee for the 1 minute? Will we get into any trouble with a hard
number like that?

sections 4.7.x and 4.8.x - Dont we need to add atleast an "N.A." as an
answer to these subsections?

section 4.9.3 - How is a fraud report handled? What constitutes a
fraud? How does on verify it?

section 5.2 - Even though the "identity Verification Form" has the
space to specify two photoID, there is *nothing* in the form that
specifies that two IDs are a requirement for verification. I
personally know of several people who have verified people based on
single ID!

section 5.2.3 "additional Assurer Test" - what is that? Any publicly
available info on this?

section 6.1.5 - what about the specs of the CA's root cert? Shouldn't
this be mentioned?

section 6.2 - Shouldn't we copy the details of root key protection
procedure rather than just link?

I will go through the WebTrust policy next and see what I can contribute.

Thanks for the patient hearing.

SK

On Wed, 2 Mar 2005 14:39:53 +0100, Philipp Gühring 
<pg AT futureware.at>
 wrote:
> Hi,
>
> > [...]
> > Looking forward to some pointers and answers,
>
> Thank you very much for your interest and help!
>
> The current draft is here:
>
> http://www2.futureware.at/cacert/cacert/policy.htm
>
> The draft has been reviewed by this Policy mailinglist in the past few 
> weeks,
> the first review is over now.
>
> Now the following things have to be done:
>
> * Make a TODO list, what is needed for WebTrust
>
> http://www.webtrust.org/CertAuth_fin.htm
> http://ftp.webtrust.org/webtrust_public/tpafile7-8-03fortheweb.doc
>
> I think this is where you should start now, to work through both the Policy
> and the WebTrust specifications, and tell us about everything that is 
> missing
> in the Policy, or that has to be done now.
>
> The next steps will be:
>
> * Make a TODO list, what CAcert needs to do now, to catch up with the Policy
> * Make sure that the majority of the board has read and understood the 
> Policy
> * Perhaps a short public review session again
> * Decision from CAcert Board to enable the policy
>
> Regards,
> Philipp Gühring
>
>
>