Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> It seems there is widespread misunderstanding among the CAcert community
> how SSL works, and what constitutes real security.

Not just in the CAcert community, I would say. I think that´s an illness of 
most of the PKI community. PKI means a lot of different things to a lot of 
different people, but in reality it usually doesn´t deliver the expected 
results.

> This in itself is 
> far more disconcerting to me...

Well, I would say that CAcert is a place where quite a few people have come 
together to research the misunderstandings of the PKI community, to uncover 
the problems, to try to search for better solutions, and to evaluate the real 
possibilities and real limits.

> This "Papers please!" state we've managed to get ourselves into IS
> NOT SECURITY. 

Yes, and the reason for that is that the best quality ID documents I found so 
far (germany´s) still have an error rate of 0.5%. Which means that at least 
one out of 200 ID´s are errorneous. Most other ID documents have a worse 
error rate. So until we find a better source of identity than ID documents so 
that we can ban ID documents for CAcert assurance, we have to lobby the 
issueing passport offices to improve their quality assurance.
(One country even succeeded to get a 99,99% false-issueing rate, where the 
chance that the ID is correct was only possibly by accident, and only 
possible after the year 2000)

> If you want a fake ID, just go to your local high school 
> and start asking around, or go to any country in Asia or Central America
> and just walk around for a while. ID grows on trees.

> Verifying ID buys you NOTHING in terms of Internet security of domains.
> The security is in control of the DOMAIN NAME, and in the SERVER
> RUNNING THE SOFTWARE.

Security depends on the viewpoint of the threat-model. Which threat-model are 
you talking about specifically?

> Checking ID provides a FALSE SENSE OF SECURITY at a great cost of
> inconvenience and adoption. The good guys are the only ones who
> have valid ID. And even some of them have a spare fake just in case.
> Sorry for the shouting. This problem is pandemic to our society,
> and it is extremely frustrating to me... It makes me sad that
> cacert is choosing to be a "kool kids klub" instead of providing
> real security to those who need it: Everyone.

I would say that identity is an overestimated concept in the security world.
But I am sure that Identity isn´t completely useless for security. It´s just 
overestimated as a security mechanism.

> Oh well, at least I tried...

You are giving up that fast?

Best regards,
Philipp Gühring