Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> I'm not so sure we should allow multiple people per non-org domains,
> there is a number of reasons for this, 

In understand your concerns. But there are a lot of domains that are managed 
by several people (owner, webmaster, server-admin) who are not part of the 
same official organisation (and will never be), or will ever have an official 
organisation.

When I have a personal website, that is hosted by my provider, then I want to 
be able to delegate it to the sysadmin of my provider.
It´s my personal homepage, I don´t have any kind of official organisation for 
it, and the provider isn´t interested to have the domain in his own 
organisational account.

> first at present there is only 2
> types of entities, individuals and organisations, 

Yes. And with organisations, we should try to make sure that only legally 
registered organisations will get the Organisation Assurance.
Which automatically leaves out NOGs (Non-Organisational Groups ) of people.

> and ideally we want as 
> many organisations to be registered to if we don't have as much of a
> carrot they may not see as much incentive to do this.

Yes. But if there is no Organisation, we can´t demand Organisational 
Assurance.

And with a personal domain that is hosted at a provider, there is no 
Organisation.

Perhaps we should speak of proxying instead of delegation.

I can legally define a proxy who is allowed to sign some document or do 
something in my name. And I don´t need to have an organisation where the 
proxy and me belongs to, for that to be possible.

I understand your concerns that this would work against our idea of doing the 
Organisational Assurance. 
But there are two things:

* When there is no organisation, we can´t demand an organisation. That´s a 
simple fact.
* When there is an organisation, and we want to put some pressure on them to 
do the organisation assurance, then we should make it easier for them to do 
it with the organisation assurance, then to do it with the personal proxying.

For that to happen, we should get the Organisational-Assurance starting form 
ready in the account management.

In the real world, the proxying is secured by requiring notarization for 
certain things.

I think there is another risk we have here:
To share the personal domains, the people could simply share their account. 
(Email+Password)
A friend of mine did that, because he thought that this would be the best way 
to have the necessary availability of the domain management.
Nobody had told him before, that the account was meant to be really personal.
When I told him that it was meant to be personal, he asked how he could 
achieve proper delegation management for the domains. 
Organisation Assurance doesn´t work for him since he is a freelancer 
administrator, and he works for lots of organisations and private persons.
So at the end he told me that the CAcert system is wrongly-designed and 
doesnt 
work for him, because of that, and I agreed with him.

It doesn´t help if we design a theoretical system of persons and 
organisations, if it doesn´t work in practice. That´s theoretically nice, but 
it won´t help us in practice.

I think the organisations already have some pressure since they want the 
organisational name in the certificate instead of the personal names.
Perhaps we should write "Personal Certificate" into the certificate ...

I don´t object if we decide to make organisational assurance easier and 
personal proxying more difficult. But I definitly object, if we don´t allow 
personal delegation for server certificates at all.

Regards,
Philipp Gühring