Policy-Discussion

[Ian G <iang AT systemics.com>]

Philipp Gühring wrote:
> > Because I think that the real problem about 
> >  privacy is the _difference_ in information access, that is that
> > information is available only _about_ or _for_ certain groups.
>
> Do you have any proof or further arguments for that concept?


Very many breaches happened in scenarios where the 
responsible stated that "they protected the info so we are 
all safe."  But, as time evolved, they protected it less and 
less, because nobody really cared about such things 
internally, and externally everyone believed that they were 
safe.

At some point you have a massive choicepoint-style failure, 
and then discover that the security policy was hollowed out 
from the core, like a rotten apple.  It generally takes 
years for this to happen, but it also takes years to grow a 
real juicy database of info ...

...
> > As I stated several month ago, IMO CAcert should be just a framework for a
> > community, helping their members to check the identities of each other,
> > and therefore should take as less responsibility as possible.
>
> Well, CAcert´s primary function is issueing certificates. 


Currently, that's its flagship product.  Whether "identity" 
is the core or certificates is the core is somewhat open for 
debate ... one way to address this is to come up with a 
mission that identifies these issues:

M.1  "issue certificates."
M.2  "provide identity framework for members."

Both of these could lead to dramatically different results...


> > BTW: why not putting a certain assurance-level into the certificates,
> > going away from that binary "certified-or-not" principle? We shoudn't run
> > after the "big" CAs, we should just make it better, with new ideas. I
> > guess, if we get popular, just because it works and it's better/more
> > trustful/more transparent than the rest, we will be "in the browsers"
> > faster than we'd prefer.
>
> Ok, and what should the software do with it? Do you have any software that can 
> make any use of it?


I suspect the software will follow the popularity.  Let's 
assume that CAcert is added into Mozo for the sake of 
discussion.  Then, all CAcert community people switch to 
using firefox, and start writing plugins ... such as 
Trustbar / Petnames / ... then those plugins automatically 
include a core of "useful lookups" so that they when they 
see a CAcert issued cert, they automatically dive in and 
provide expanded services.

This would be the "chicken & egg" approach.

(So, to drift somewhat and connect these two above threads, 
imagine CAcert starts shipping its own version of Firefox 
... and then starts modifying the internals to do certs 
better.  It may be that it naturally evolves to being an 
issuer of software, not certs, over the years.)

iang