Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> It isn't as if we even have a principle of uniqueness, as
> name + DOB isn't unique, whereas email address is the real
> unique identifier.

Email address isn´t a unique identified of a human.

support AT cacert.org
 for example.
The concept of PKI that email address is unique for an identity is one of the 
fundamental flaws of PKI in my opinion.

> The way I see it, it is more like the evidence on use of a
> name, where evidence is considered to be "government docs".

Hmm, what was the definition of identity again? 
I think it was something like the collection of things that differentiate an 
individual from other individuals?

> If we were to drop the DOB for example, this wouldn't
> materially change much.

Conceptually, yes.

> >> Precisely, they then switch to becoming "experience in
> >> assurance" points, it seems.
> >
> > Yes, from 100-150 the points have the meaning of experience in assurance.
>
> OK, so we are (all?) agreed that this is the current situation.
>
> Our next question would be:  is this switch in meaning a
> "bug" or a "feature" ?

In which direction do we want to argue here? I guess I have enough arguments 
for "bug" and "feature".

> > I once had the idea of assurance-experience-transfer programme, whereby
> > you can get assurance-experience points if you can proof that you have
> > experience in the field. (Like you are a border-policeman, and you check
> > IDs every day, or things like that) Well, TVerify is somehow in that
> > direction already.
>
> Makes sense.

Well, it seems we are moving to more complex requirements for assurance than 
just ID-checking, so it looses relevance.

> >> To bring this back to assurance:  why doesn't an assurer
> >> also get assured at the same time by the other?  Surely this
> >> would be worth 1 point?
> >
> > Reciprocity was introduced at CAcert in the beginning, after it was
> > discovered that the disallowing of reciprocity that was in effect at
> > Thawte was not a good idea.
> > So yes, it is allowed to assure an assurer. It might be a good idea to
> > encourage people to do that more. But I am against enforcing reciprocity.
> > (For example, it doesn´t work

> I don't quite understand what you mean by that.

Thawte did not allow that users or assurers can assure other assurers, so 
reciprocity was forbidden there. (I might be wrong there) 
CAcert thought about it in the beginning and decided to allow assurance 
reciprocity at CAcert.

> We may not necessarily have to "enforce" it ... we could
> simply make it "normal".  That is, if Alice wants to get
> assurered by Bob, she visit Bob with the papers for both of
> them, and they both work it through, reciprocally.

> I'm not sure why Bob would "refuse" to be assured by Alice.
>   Is it because Alice isn't trained and therefore can't be
> relied upon to keep the papers?

Well, or it might be that Bob can´t be assured at all, due to for example an 
identity crisis.
Or the assurer wants to limit the exposure of his personal data due to 
privacy 
reasons.
I remember that I found other valid reasons as well, but I don´t remember 
which ones they were.


> Well, maybe the answer is for the Assurer to explain that.
> If we let Assurers run around telling people that
> reciprocity is trust, then of course they will get the wrong
> opinion.

Well, trust, identity and all those other newly invented concepts aren´t 
generally understood and often confused. I don´t see some education about 
those concepts in our education programme yet, so my guess would be that some 
percentage of the assurers would get those things wrong.

> To my mind, I can see the following benefits:

> a.  Assurer's name is additionally assured to 1 point.

So we are effectively making everyone an Assurer upon first contact?

> b.  Assurer has a chance to educate the new user as to how
> to do it.

Yes, I think that´s a good chance. But perhaps the assurers should first ask, 
whether the people think that they might want to become an Assurer themselves 
in the future.

> c.  The sense of "power" is reduced, in that as it is
> reciprocal, there is no expectation that the Assurer has the
> power to demand this or that beyond what is fair to ask both
> ways.

Yes, balance of power is a good idea there.

Best regards,
Philipp Gühring