Policy-Discussion

[Ian G <iang AT systemics.com>]

Over on the blog, I commented on the new EV plugin from 
Verisign.

https://financialcryptography.com/mt/archives/000927.html

As long desired, it signals a move to where the CA makes a 
statement, and that's what gets presented to the user.  The 
fact that it is happening via the controversial EV proposal 
is a separate and aside fact.

Surprisingly, Philip Hallam-Baker, of Verisign, agreed in 
comments:

=========
Quite, the entire purpose of EV was to establish 
accountability. Some folk thought that only meant 
accountability for the certificate subject. If people paid 
attention to what I said they would have heard me talk about 
*accountability for the certificate issuer* in every single 
talk I have ever given on either EV or Secure Letterhead.
=========

(I corrected his error as seen in the next comment, and 
emphasise what I think is the message.)

CAcert is doing the same thing:  The CA is making itself 
accountable to the registered users.  The registered users 
are making themselves accountable to each other.  The rest 
of the world -- the Grandmas -- are also not forgotten, if 
not exactly insured for all risks, in the NRP-DAL.

I think it is too early to say if this signals a shift in 
the entirety of PKI and other CAs.  It's not clear that 
Mozilla or Microsoft understand what accountability for CAs 
and for browsers means, so there is more work.

But, for CAcert, it does indicate that the only way forward 
is forward:  increasing accountability, increasing 
professionalism, increasing certainty.  Plus balance, a fair 
deal for all and getting home in time for tea.

Lots of good work has been done!  The good news is that 
there is plenty more work to do ;) and after this friday's 
upcoming SGM, we should expect to see more demands for more 
work...

Rock on!

iang