Policy-Discussion

[Alaric Dailey <alaricd AT pengdows.com>]

LDSTech wrote:

> I've just joined the list, so forgive me it this has already been
> proposed, but I think there are several legal issues that are going to
> get in the way of making this fly.

One of many many issues prohibiting this from flying.

>
> First, as Peter has already pointed out, the U.S. is really a stickler
> about access to encryption,--or to put it more relevantly,--to
> anything that smells like encryption, technomlogy. This is serious
> business and to get American companies on board, they simply have to
> be able to certify that their vendors are on board. Thus, in dealing
> with American companies, this is a reality that has to be explored.
> The actually location of the founding company doesn't matter, as has
> already been noted. Assuring American companies that the technical
> service provided by CACert falls within their supplier qualifications
> is something the tech side has to be prepared to explain.
>
> Second, I believe that a country-specific assurance scheme might help
> deal with the various distinctions between what notaries can do and
> how to best ensure that people are who they claim to be. 

I am not sure this will work well and might be a maintenance nightmare,
especially since CACert is volunteer driven.  The best soution I can
think of is finding the most stringent set of laws and requirements and
following those, like the way manufacturers of high-performance car
parts attempt to pass california emissions standards here in the states.

> Frankly, indentity-theft shouldn't be an issue if individuals are
> assured. This falls under the title of "due diligence." Obviously, the
> big companies do minimal due diligence, but that doesn't mean that
> CACert consumers understand that. They can hire the lawyers to
> withstand any onslaught that comes,--the goal is not to get sued in
> the first place. The way to do that is to create a clear
> consumer-contract with clear outcomes. Most of that is acomplished,
> but there are some areas where confusion is sure to come in. Outlook
> doesn't make it easy to accept certificates, even though it's a snap
> with Firefox. Education is key, but that's hard to do without a
> serious advertising budget.

Incorporating third party CA certs is easy in windows and I documented
last week in wiki, for users, machine and domain level inclusion, and
once in windows it applies to all MS apps, Office, Outlook Express,
whatever, and even Adobe can be easily configured to check against the
windows certificate store.

>
> Maybe, it would be helpful to create a To Do list of legal issues and
> then start to figure out how to deal with them and the timelines on a
> global basis??


Listing out objectives would be great.  Timelines are completely out of
most peoples control, only Duane has such control.  Changes to CACert
have been... slow, but I have seen many offers of help, but in defense
of Duane, who should he really trust? 

Legal issues really should have been addressed before taking CACert
live, but a good legal team to fix such problems now would be a great
boon. For example, I happen to know that our "Certificate Policy
Statement" is in dire need of legal review ( I am not even sure if its
posted on the site).

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature