Policy-Discussion

[mfolimun AT elitemail.org]

(Since non-members aren't allowed to read the mailinglist archives, I
wasn't able to google search to see if this has been discussed before.
Apologies.)

Hi! First off, kudos for putting forth the effort to get something
like cacert.org off the ground. I think it's really awesome you are
dedicated to providing security to the Internet on a volunteer basis.
Universal SSL is badly needed by the Internet at large. You are truly
giving the world a mighty gift.

However, I do have a question about the identification policy. I fully
understand the need to stringently verify the identity of people who
request code certificates, but what I don't understand is why identity
has anything to do with the domain authentication process.

Let me explain my situation: I have a domain I have paid a premium for
whois privacy protection for. I would like to serve secure encrypted
content on this domain, but I value my privacy, and moreover, I live
in a part of the world that does not have two "assurers" within any
reasonable distance, and it will be a cold day in hell before I mail
copies of my identification documents to anyone.

If I have forward DNS for a domain, and I can receive mail at
root/postmaster at this domain, and I can create arbitrary subdomains
and point them to any requested IP and/or post any requested web page
at your request for verification, why is this not enough to obtain a
secure, long lasting certificate?

It would seem the ability to create subdomains, post webpages, and
answer root/postmaster's email should conclusively demonstrate domain
ownership, especially since the whois information has nothing to do
with my real identity anyways. So I don't understand why someone needs
to see government issued ID for me to be trusted to have an ssl cert
for 2 years as opposed to 6 months, especially given that it would
seem I can just keep requesting new certs every 6 months forever
without providing any ID. 

The reason why I object to the 6 months policy is that every six
months I have to waste my time (and confuse my users who do not
install the cacert.org root cert but instead verify by fingerprint) to
renew the cert, and you have to waste your time and resources to sign
it. This doesn't seem optimal, and it certainly doesn't seem to
provide any additional security, only hassle for those who want
privacy or are not able to contact assurers.

Please reconsider this policy to allow people to authenticate domain
ownership without identification and meat-space legwork. The Internet
would be a much better place if everyone was able to use SSL,
regardless of geographic location, privacy concerns, or just
intolerance for hassle.

Thanks,
Mondior
-- 
  
  
mfolimun AT elitemail.org

-- 
http://www.fastmail.fm - A fast, anti-spam email service.