Policy-Discussion

[Sven Anderson <sven AT anderson.de>]

Ian G, 17.01.2007 18:24:
> Sven Anderson wrote:
>> Ian G, 13.01.2007 16:56:
>> If the trust of the system is based on it's public transparency, then
>> privacy is counterproductive. If I have a certificate of somebody, and I
>> want to check it on the CAcert website, I would like to see a list of the
>> assurers and their assurer points (not necessarily their names though!) If
>> I just see the number of assurances, or even just an "assured" flag, my
>> trust in his identity is less.
> 
> What happens if the Assurers don't want their names to be 
> released?  See below for more concrete example.

>From the POV, that users of a community want to confirm their "official"
identities of each other, it's somehow a contradiction to want your name
to stay private, as such a community is a blurred and open thing.

But: I'm maybe radical in the goals but not a fundamentalist. As you can
see I wrote above: "not necessarily their names though". In a list of
assurers it is not necessary to show the names, the assurance-level is
enough. (In an advanced system of course some assurers could allow me as
an user to see their names in such lists, based on personal configuration,
as you proposed before.)

I just want to propose the following rules in the given order:
1. store as few information as possible.
2. make as much information available as possible.
3. give the user the control of 1. and 2. where possible.

I don't want, that the whole database-dump can be downloaded by everyone
for instance. Of course not. I'm just approaching the reasonable solution
from the other side.

>> Don't get me wrong. I'm totally pro-privacy. But the best way of realizing
>> privacy is to publish all data. That sounds paradox.
> 
> 
> Yes, it sounds like a paradox, and I think it is:  It may be 

Of course it is a paradox. A paradox is not a contradiction, it just seems
to be one. ;-)
http://en.wikipedia.org/wiki/Paradox

> that the best way to protect stored data is to publish it 
> because that forces you to show that the data is needed. 
> But it's not a necessary result;  it's not the only way.  If 
> data like assurer points is needed to usefully calculate 
> your points, then it can be stored, but not published but 
> kept secret.

Yes, but I want that we have to argue for why it should be kept secret,
and not for why it should be published.

> But there are other ways to get control of your data or to 
> establish confidence that the data stored is appropriate: 
> ask to see it all, become a system administrator and learn 
> how the database stores its fields, become a programmer and 
> read the code, do an audit, especially with a privacy 
> criteria, file a dispute and get your data, etc etc.

That should be the way for the average user, who just wants to know, what
data about him does exists and what is done with it?

>> Also it's easier to correct wrong assurances and make the system
>> self-stabilizing. I had many cases, where I didn't want to give any
>> assurance points, but the user already got points! I had no possibility to
>> vote for a assurance point withdrawal. (Sending these cases all to a
>> support AT cacert.org
>>  cannot be the solution.)
> 
> OK, so how should this be done?  Maybe you as an Assurer can 
> set negative points?
> 
> But if you as Assurer can set negative points, and your name 
> appears as having done that, will you still do it?  Most 
> will not.

Why not? I will, and I will be proud that I found a mistake. ;-)
1. As I wrote above: I can see that some people don't want to be listed
with real name in assurer lists, so I agree with you: let the user choose.
2. It should be clear, but I have to emphasize again, that the
assurance-points are just a valuation of the link between an CAcert
account and the data on official documents. In no way it is a valuation of
the person itself. So there's no need to feel ashamed to give "negative"
points.

> Right, and the feedback system is published so it tends to 
> be over-positive ... which then leads to confidence scams. 
> That doesn't mean that CAcert shouldn't do it, but there is 
> no perfect answer here.

Not such a big problem IMHO. Peoples perception will adapt to it.


Cheers,

Sven

-- 
http://sven.anderson.de    "Believe those who are seeking the truth.
tel:    +49-551-9969285     Doubt those who find it."
mobile: +49-179-4939223                                 (André Gide)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature