Policy-Discussion

[Ian G <iang AT systemics.com>]

Sven Anderson wrote:
> Duane, 12.01.2007 13:32:
> > Bernhard Froehlich wrote:
> >
> > > So I'd vote for the policy "Disclose all user provided information if a
> > > user's certificate is involved in a civil or criminal lawsuite". But I
> > > have been criticised for this opinion before... ;)
> > I strongly disagree with this, why should we hand over data liberally
> > without a valid court order in a jurisdiction that we do actually have
> > to adhere to?
>
> I'm a little radical in this aspect. Either nobody or everybody should be
> able to access an information.


Right, we need a very defined model that tells us who gets 
the data, and under what circumstances.  It is somewhat 
useful to speculate whether the RIAA can do this or that ... 
but the real question is "what happens when they do sue and 
they get an order against CAcert from the judge to do XYZ?"

Whatever the answer is, it should be comparable to every 
other party and every other action XYZ, in a fair fashion -- 
e.g., if the RIAA gets the data on Sven, then *I* can get 
the data on Sven -- and it should be aligned to our sense of 
community goodness, whatever that means.  E.g., our mission.


> Because I think that the real problem about
>  privacy is the _difference_ in information access, that is that
> information is available only _about_ or _for_ certain groups.
>
> So here's my proposal: Why not make CAcert to a public space? All
> information in the CAcert databases is declared as public, who wants to be
> part of it, has to agree with that. I see clear advantages in this
> approach. I would like to see, who assured whom. The whole web-of-trust
> would get transparent and therefore easier to trust (or not). There just
> has to be a protection against spammers to download all the
> email-adresses, like in other "e-communities" too. I mean, what
> information does CAcert have about me anyway? My real name, my
> email-address (both in my certificates and therefor public anyway), and
> whom I gave and from whom I got how many assurance points and where. (Many
> e-community sites do something very similar with their web-of-contacts,
> where you can traceroute an arbitrary person by the established contacts
> in the community.)


I personally would go half as far as that, I think people 
should have an ability to set a flag saying "public" on each 
piece of data.  So if I want to show my address and my 
assurers list, then I can.  If I want to show I've got 150 
points and I've passed the Assurance test, I can.  E.g., it 
is rather valuable in some circles to show that I am over 
the age of 18.

But forcing everyone to do that would I think be highly 
limiting.  What's wrong with providing privacy-oriented 
people the CAcert facility, with privacy for their 
activities?  It's not as if this hides anything specially, 
as you always need to check the details anyway if you are 
going to rely on them.

(But I hasten to add, that's a personal opinion and has no 
further bearing beyond chit chat...)

iang