Policy-Discussion

[Ian G <iang AT systemics.com>]

Ian G wrote:
> mfolimun AT elitemail.org
>  wrote:
> > On Fri, 11 May 2007 14:00:04 +0200, "Ian G" 
> > <iang AT systemics.com>
> >  said:

> > > > But this is NOT what you do! This is what the GPG web of trust does! 
> > > > What YOU do is certify that content that claims to be from domain X 
> > > > *really is* from domain X. Particular individuals have nothing 
> > > > to do with the content you certify.
> > >  
> > > Sorry, where did you read that?  The CPS doesn't say that, 
> > > did this come from anywhere in particular?
> > http://wiki.cacert.org/wiki/SubmitCsr - 
> >
> > "Basically unless you assure your company nothing else 
> > except for commonNames and subjectAltNames will appear 
> > on your certificate, the other fields are removed"
> >
> > It would seem you do not provide any form of individual
> > identity on your certs, just commonName/domain.
>
>
>
> Oh, I see what you are saying!  That might be a bug, then, 
> in either the certificates or the CPS.  Let's check it out 
> then.  Thanks!


OK, so as promised, let's check this bug out.

I checked my certificate for SSL use and it has no 
identifying info in (for example) the OU field.  (Whereas my 
individual email certs do have my name in them.)  This 
matches the above claim made on the wiki as found by mfolimun.

I checked one other CA's cert for some website, and the 
owner was identified in the OU field.

Why does CAcert's CA strip any identifying info from the 
other fields?  Is there a reason why this is so?

(I can imagine many myself ... but I want to hear the CA's 
reasons.)



Then, in the CPS, it states that:

Relying Party Statement
A relying party may rely on the User named in a certificate 
having been assured to at least 50 points.

Now, we could argue that both ways, in comparison to the 
above.  But for integrity of claim, we should be clear what 
we are intending to do here;  and rewrite that relying party 
statement ... or the certs policy ... to match.

Comments?


iang