Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> > Yes, we are already thinking about which OLAP engine will be able to
> > handle our needs ;-)
>
> Hmm, well I don't even know what an OLAP engine is :)

A system that is used for most datamining applications. It is to Excel, what 
Exchange is to Outlook.

> Pretty short!

Keep it simple ...

> > A CA has to provably verify the identity of a person / organisation.

> OK.  Is that referenced anywhere?  Is there something
> that says anything about how to do that?

I guessed that it is obvious.

> Or do you have to make it up as you go along?

We will see.

> > Additionally, when you want to get a personal certificate, the CA needs
> > to have your name for the certificate.

> OK, so one type of cert needs the name.  It doesn't
> need the DOB though.  Nor the address.

We don´t keep the address anywhere, do we?
(Unless you are an assurer, and want to tell the people, where they can be 
assured, but then you enter it on your own)
I think the day of birth is necessary to make the people unique. (Name isn´t 
enough).

> It's a start.  There's a lot of stuff going on right now,
> not the least of which is right now I'm packing for
> a hop over to your neck of the woods.  
> Maybe we 
> can catch up in the next few days or so.

Ok.

> > I see the following scenarios: Fraud, Phising, Virus/Malware
>
> So why do they concert CACert?
>
> "nobody else cares..."  how is this going to manifest itself?

> Through a court order?  A police investigation?

Yes, that sounds possible to me. Although I guess that those things will only 
start in a couple of years, when CAcert is large enough.

> How about arbitration?  Or a private investigation?

Perhaps, but rather unusual, I guess. There are normally easier and better 
methods (Whois, ...) to get the necessary information.

> What about a request to share from another CA?

I have never heard about something like that. Why would they ask for it?

> Or an ISP?

Why? What?

> > I see two scenarios:
> > * Someone notices something wrong, and contacts CAcert about it
>
> OK, so then we examine whether they get access
> to data, or undefined help of some form...


> OK.  So it would help here to establish jurisdiction
> in advance.  Does an Austrian judge contact the
> austrian office or the Australian office?  How do
> you respond to the americans?

There are no official offices outside of Australia. There are just offices 
offering assurance, but they aren´t officially CAcert, they are just 
Assurers.
So someone has to contact the Australian headquarter.
Do you see any justification in handling american requests differently?

> > In the first case, CAcert will investigate the case itself first, and
> > handle it according to the facts.
>
> Does CACert have an investigative arm?  A
> procedure?

We have developed a rough procedure, yes. But since we didn´t had any cases 
yet, we didn´t build up a specialized team, so it is just handled by our 
normal core team.
But someone gave us the idea of developing our own incidents and playing them 
through.

Wait. We have an Abuse submission system. I just haven´t tried it yet.

> > In the second case, CAcert might de-anonymize a single anonymous
> > certificate, I think.
>
> So if a judge requests a single cert, does the individual
> get a right to file a defence and not have it revealed?

According to our Security Policy:
http://www2.futureware.at/svn/sourcerer/CAcert/CAcertSecurityHandbook.txt
The judge would have to proof the need-to-know of a specific information.
If the judge can really proof a good need-to-know, I personally do not see 
much reason to deny the request.
If the proof is not good enough, we could ask the individual for permission.

Do you have a suggestion for a better policy there?

> Lots to talk about :)

Yes. I could spend endless hours with those discussions!

Regards,
Philipp Gühring