Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> I'm a little radical in this aspect. Either nobody or everybody should be
> able to access an information. 

What do you think about the concept that only those that need to know the 
information should get access to it?

> Because I think that the real problem about 
>  privacy is the _difference_ in information access, that is that
> information is available only _about_ or _for_ certain groups.

Do you have any proof or further arguments for that concept?


> So here's my proposal: Why not make CAcert to a public space? All
> information in the CAcert databases is declared as public, who wants to be
> part of it, has to agree with that. I see clear advantages in this
> approach. I would like to see, who assured whom. The whole web-of-trust
> would get transparent and therefore easier to trust (or not).

Now lets say I have been assured by 100 people.

> There just 
> has to be a protection against spammers to download all the
> email-adresses, like in other "e-communities" too. I mean, what
> information does CAcert have about me anyway? My real name, my
> email-address (both in my certificates and therefor public anyway), and
> whom I gave and from whom I got how many assurance points and where. (Many
> e-community sites do something very similar with their web-of-contacts,
> where you can traceroute an arbitrary person by the established contacts
> in the community.)
>
> For the rest (logfiles and stuff like that) the question about giving out
> data is the same as for every webservice with useraccounts, which is
> answered by the local authorities of where ever the servers are located
> at. CAcert is not in the position to "handle" something here, I guess.
>
> As I stated several month ago, IMO CAcert should be just a framework for a
> community, helping their members to check the identities of each other,
> and therefore should take as less responsibility as possible.

Well, CAcert´s primary function is issueing certificates. 

> BTW: why not putting a certain assurance-level into the certificates,
> going away from that binary "certified-or-not" principle? We shoudn't run
> after the "big" CAs, we should just make it better, with new ideas. I
> guess, if we get popular, just because it works and it's better/more
> trustful/more transparent than the rest, we will be "in the browsers"
> faster than we'd prefer.

Ok, and what should the software do with it? Do you have any software that 
can 
make any use of it?

Best regards,
Philipp Gühring