Policy-Discussion

[Ian G <iang AT systemics.com>]

Duane wrote:
> Sven Anderson wrote:
>
> > That's a bit to diffuse to react to, smells a bit like conspiracy theory
> > too, but well, everybody has the right to have one. ;-) In general I would
> > say, if you want to avoid, that certain people get certain data, the only
> > way is not to create that data. Everything else will be an endless and
> > doomed task.
>
> There was nothing diffuse or ambiguous or even metaphorical about my
> statement at all, all the time there is new reports on how social
> networks are analysed for different purposes but that's only what
> researchers are doing and publicly announcing. Not only is CAcert a
> social network but it also deals with the use of cryptography.


I see the point about social network research.  Question is, 
why does that stop CAcert getting into providing info on a 
user-voluntary basis?

Everyone can have a website; why can't CAcert extend its 
facility to share that info, just like I could list on my 
website that I have 2000 points and am Assured by 1000 
people ... etc etc.  (Which I'm not of course, but if I say 
it, is CAcert going to say any different?)


> ...  should we be
> publishing their names and details so governments can go an arrest and
> throw them in a deep dark hole somewhere and forget about them?


Depends on the mission of CAcert.  What's the mission?  Does 
it suggest privacy, crypto, utility, price or what?

Your reasons are ungrounded without a mission, without some 
view that these people are the ones we intend to protect, 
and without some analysis of the risks.  It's possible to 
scare people with FUD, but it isn't going to give you any 
basis on which to make privacy decisions.


> I can sit here and go on and on as to why it's a bad idea, might not
> happen, but there is past precedents that clearly point out any or all
> the above could happen.
>
> I only have to be right once :P

PKI kool-aid!

Security is nothing to do with "being right once" or being 
"100% secure..."  There are no absolutes in this.

It's all about risks:  all good security systems sacrifice 
the occasional victim but protect the vast majority for a 
good price.  Certificates are no different.  If we can 
promise to protect 1000 holocaust deniers at the cost of 
failing to protect 1 jihadist, is that a fair risk to take? 
 Definately;  if CAcert has 1000's of holocaust deniers but 
has no jihadists, and if it was the other way around, it 
would choose the other way.

As an organisation, CAcert will definately have to 
"sacrifice" the privacy of some of its members one day or 
another.  It needs a rationale to do so ... and that should 
relate directly to the mission ... which remains unclear.

iang