Policy-Discussion

[Sebastian Kueppers <cacert AT kueppers.ath.cx>]

Iang schrieb:
> Sebastian Kueppers wrote:
>> Hi!
>>
>> Evaldo: Thank your for starting this discussion, I'm begging for such a
>> policy for about a year now...
> 
> 
> Yes, the CPS also begs...  Hmmm, it says:
> 
> 3.1.4. Rules for interpreting various name forms
> 
> Names are administered by means of the User's account. The 
> rules themselves may be varied on short notice by CAcert as 
> fraud such as phishing is moving too quickly for 'policy' 
> documents.
> 
> http://svn.cacert.org/CAcert/policy.htm#p3.1

Hm, I'm quite unhappy with that....
This section refers to a unknown and not exitsting document to see
if/how a name may be interpreted.

>>> Another one not so uncommon around here:
>>> - People changing their last name after marriage
>> I think that is a minor problem, because (at least in germany) you'll
>> get an official certificate stating the change of name.
> 
> 
> OK, so the assurer can work with it.  Is the system set up 
> to support that change?

Currently we delegated such cases to support@ to change an existing
account :D

>> If there are still issues with CAcert certificates and UTF-8 I think we
>> should (better: we have to) provide a possibility to avoid these issues.
>> Either by making the certificates working with UTF-8 or by allowing
>> transliteration of problematic characters.
> 
> 
> Hmm.  Good point.  OK, so what does the system do if your 
> name includes an umlaut?

Well, for me it works :D But I don't know how it works for other people.
As Philipp said, the umlaut is in iso-8859-1 (Latin 1, IIRC) so as for
me if I have a look at the certificate at the command line I see
mutilated umlauts.
Well, you could argue that iso-8859-1 would work fine for me, but I'm
sure there are people in the world having non-iso-8859-1 compatible names...

>>> For example one thing I always considered ok was the german "eszet" (�)
>>> character which is represented in ID cards as SZ, since ID cards only
>>> use capital chars. But of course the name might have been czech or
>>> hungarian where "sz" is a not so uncommon combination...
>> Another problem are the Certificates itself. If I remember correctly
>> there have been some issues about UTF-8 and X.509 certificates...
>> And if we allow substitution of loacal special chars into some
>> ASCII-counterpart we would need a comprehensive list of allowed
>> substitutions.
> 
> 
> Yes, ok so potentially we have:
> 
> User's Name(s) ==> CAcert-assigned Name(s) ==> x.509 Name(s)

But how to handle that and - more important - which name to assure?
Well, 'other' CAs don't care about if you need umlauts or not (of course
I don't know their internal rules on checking) but we have to have an
easy-to-understand rule not to confuse or scare users.

Regards,
Sebastian

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature