Policy-Discussion

[Bernhard Froehlich <ted AT convey.de>]

Greg Stark schrieb:
> Mondior,
> I think cryptographic strength misses the point.  You don't need CAcert to
> create certificates to secure your internet activities.  YOU do not need US.
>
> So why do you want to use our certificate service for?  So you or visitors
> to your website don't get the annoying SSL popup window?
>
> You wish to be anonymous!  A 6 month certificate is what CAcert offers.  6
> months, no user name  Frankly, I think it should be a 30 day certificate.
>
> Look, What CAcert offers its users, for free is, trusted identity on the
> internet.  To do this we look at one another's official identity documents
> to confirm who we, and if that is not posible we ask you to provide us with
> documentation (TTP Form).  Having done that I can feel confident that when I
> get a signed document from you.  It is you.  For you to have your name on
> the certificate you have met the requirements of our community.  You are
> established in our Web-Of-Trust.  A member of the Club.
>
> Anonymous identity just does not exist here.  Privacy does.  No address is
> asked for.
>
> Greg
>   
Finally someone found the reasoning I was looking for,  thanks Greg! But 
now I have the feeling that I want to add something... ;)

Mondior, if your users check your cert by fingerprint anyway, why don't 
you create your own, self signed certificate, lasting as long as you 
want it to? If you don't know how to do that just drop me a note.

Of course this does not answer the question about the policy on 
"anonymous server certificates". Why does CAcert issue them? Is it "to 
make HTTPS availiable to everyone for free" or is it "a giveaway so you 
can try the certificates without really getting involved"?
If it's the latter one (which would be my favourite), the reason for a 
reduced validity period is quite obvious: Come back soon and join the club!

If it's the first one I indeed find it hard to reason against Mondior, 
because I also don't see how verifying a person's identity increases the 
reliability that this person also is the owner of a domain. And IMHO 
this should be the primary and minimum statement a HTTPS certificate 
should imply. Of course the cert may make more statements, like "the 
owner is an existing natural person" or "the owner is a member to the 
CAcert club"...

Now, should there be a vote on this topic?

Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature