Policy-Discussion

[Russell Smith <mr-russ AT pws.com.au>]

On Fri, 22 Jul 2005 09:15 am, Ian Grigg wrote:
> On Thursday 21 July 2005 02:40, Duane wrote:
> > Ian Grigg wrote:
> > > CACert is collecting a lot of information on people.
> > > That information becomes a bit of a datamine when
> > > there is enough of it.  What system or policy is in
> > > place to protect the information?
> > 
> > Yet another policy that needs to be created, there is a lot of things
> > that occur that needs a policy written for it.
> 
> OK.  Well, I'm surprised that wasn't part of the audit
> process.  Huh.  Maybe I'm not surprised :)

What audit, there has been no audit that I am aware of.

[snipped section which I did not comment on/reply to]
> 
> > But for other people to verify IDs there needs some unique key fields to
> > enable them to do this.
> 
> Then there are a bunch of questions:
> 
> 1.  what is the best way to 'identify' people?
To know them for a longer period of time.  But even that is not certain. 
There aren't really any
'best' ways to indentify people.

> 2.  who can get access to this information?
Only the people who collect it (assurers), the person who supplied it and 
people with physical server access.
The only information kept (Except for TTP) is Name and date of birth.  
Assurers have types of ID used, which is basically pointless for useful 
information.
Everybody knows they types of ID another person is likely to have.

> 3.  what can we do to protect it?
I'm not sure how much information there is to 'protect' for Web of Trust.  
For code signing certificates and TTP forms, there is physical security of
documents which I have asked questions about before.  How secure are our Date 
of Birth and Name anyway?

I'm not sure of the physical server protection, apart from what is written 
about server comprimise and security there.

> 4.  in what forms does the info exist and what are
>     the regimes for each piece of info?
Info on Web of Trust from (Name, Date of Birth, Types of ID persented)  Only 
Assurer has these, unless sent to CAcert
Info on Website (Name, Date of Birth, Various information about who assured 
me and how many points they gave).  Protected by server security.
Info at CAcert offices (Photocopies of ID's, Information available from 
Website).  Protected by ?.  Which I have asked about.

I can't think of any other form of information existing.

> 5.  do we key everything on some external
>     datum or on our own internal number?
I don't understand completely what you mean here.

> So let's say I'm an attacker and I want to get the scoop on
> someone.  How would I do that?  Become an assessor and
> just access the database?  Bribe an insider to reveal it to
> me?
The only information available to an assurer is what you see when you meet a 
person, or their name and DOB if you know the email and 
you are an assurer.

1. Become an assurer, Convince the person who you assure to let you copy the 
entire of their ID's information down or photocopy it.
2. Bride one of the CAcert Office administrators to give you information.
3. Break in a steal information from the CAcert office

1 is likely to get you as much information, probably less than simply 
stealing somebodies wallet. (You should look into pick-pocketing)
2 & 3 is likely to get you more information if people have sent a copy of 
their passport information in.  This is a little dangerous. Physial security 
as always is important here.

If you really wanted gain, you wouldn't steal info about a person, you would 
get the root private key and start impersonating people.

Regards

Russell Smith