Policy-Discussion

[mfolimun AT elitemail.org]

On Thu, 10 May 2007 12:53:23 -0700, "Greg Stark"
<gstark AT electrorent.com>
 said:
> Mondior,
> I think cryptographic strength misses the point.  You don't need CAcert
> to create certificates to secure your internet activities.  YOU do not need
> US.
> 
> So why do you want to use our certificate service for?  So you or
> visitors to your website don't get the annoying SSL popup window?

It was my understanding that CAcert was aiming to be a widely 
accepted certificate authority to provide domain certificates for 
HTTPS/IMAPS/SMTPS/whateverS for free: Ted's second point in his post. 
I did not realize that you guys were looking to replace the GPG 
web-of-trust with something tied to domains and openssl. If that is 
your real mission, then I am barking up the wrong tree.. 

But then I also argue you are using a screwdriver to hammer in a 
nail... certificates exist primarily to secure and authenticate 
internet traffic from Internet domains, not to verify content comes 
from a particular person.

> You wish to be anonymous!  A 6 month certificate is what CAcert offers. 
> 6 months, no user name. Frankly, I think it should be a 30 day certificate.

Why? Exactly what am I doing with this certificate? I'll tell you: I 
am using it to certify that content from my domain name is actually 
from my domain name, so that no one can intercept it and try to fool 
my users, or read their traffic. If I prove conclusively to you that 
I AM my domain name, what is the risk? There is no uncertainty here. 
If I demonstrably control all properties of domain X, there is no harm 
in you certifying I am domain X, unless I have hacked domain X, stole 
its mail, stole the passwords to the registrar, and hijacked its 
webserver, and convinced their ISP to update reverse DNS. All without 
the domain admin knowing.. If I am this much of an uber-ninja, why don't 
I just do this to domains Y and Z that have already been granted
CAcerts, and steal their private keys?

> Look, What CAcert offers its users, for free is, trusted identity on the
> internet.  To do this we look at one another's official identity
> documents to confirm who we, and if that is not posible we ask you to 
> provide us
> with documentation (TTP Form).  Having done that I can feel confident that
> when I get a signed document from you.  It is you.  For you to have your 
> name on
> the certificate you have met the requirements of our community.  You are
> established in our Web-Of-Trust.  A member of the Club.

But this is NOT what you do! This is what the GPG web of trust does! 
What YOU do is certify that content that claims to be from domain X 
*really is* from domain X. Particular individuals have nothing 
to do with the content you certify.

Consider a wiki that is the collaborative product of many individuals
operating with a CAcert. Or a webhost that has multiple users on 
independent subdomains. That content is only certified to be from 
the toplevel domain, not any particular individual.

It makes complete sense for you to have a well-linked web of trust
for your assurers and among other volunteers of your organization, 
but it makes little sense to force people who just want security to 
become members of this web as well. Especially when you are ultimately
certifying domains and their content, not people.

> Anonymous identity just does not exist here.  Privacy does.  No address
> is asked for.

And if I (as an assured natural person using my real idenity) were to 
host a domain that allows anonymous users to post content to https 
secured subdomains using a wildcard cert, would cacert.org invalidate 
my certificate because the content is no longer assured to be from the 
original applicant?

-- 
  
  
mfolimun AT elitemail.org

-- 
http://www.fastmail.fm - Choose from over 50 domains or use your own