Policy-Discussion

[Jens Paul <cacert AT canyonsport.de>]

Hi Philipp,
> > As there is no guarantee the address information is current I would rather
> > not have to rely on it. (While I was studying some of my friends moved up
> > to 9 times in a period of 4 years.)
> >     
>
> In Germany you can mostly rely on it, since they put stickers with the new 
> address on it whenever people move.
> (At first I thought they are all trying to cheat by putting some stickers over 
> an area of the photo ID so that I can´t read what´s really there ...)
>   
It isn't a problem if they do it correct. The sticker they have to use 
is from the "Bundesdruckerei" (it is stated on the sticker and it has a 
special watermark-type style in the background) and they have to put 
their seal (the seal of the agency) on it. In addition usually they put 
a foil over it to protect it as well. Unfortunately I have seen examples 
were the agency didn't do it according to the rules ...

> > Would that help a private person trying to find someone? 
> >     
>
> I guess it would help a private detective, yes.
>   
Absolutely. Because the private person can go to Arbitration and request 
that information and then sue the person for spreading malicious code in 
front of a civil court (as this is no longer an action under the scope 
of CAcert, it is no longer part of arbitration)

>   
> > Script kiddies should be able to get 100 points in their own name only if
> > the web of trust functions correctly. Don't you think a criminal
> > conviction would be all the deterrent needed?
> >     
>
> Well, a few people suggested that we only need 50 points for code-signing, 
> since it´s equal to other certificates as well. I guess the next one that 
> stumbles across the fact that we issue certificates for people that have 0 
> points, might suggest that we issue code-signing certificiates to 0 point 
> people for testing.
>
> Having to contact support AT cacert.org, having to specifically ask to have the 
> code-signing feature enabled, and having to send a photoshopped photo-ID to 
> CAcert, after having met a few assurers (or after having published a trojan 
> that does the needed assurances and gives you the need 100 points), 
> is actually a barrier.
>
> (About 7 years ago, just getting 50 points (or something) was too much of a 
> barrier for me, that I actually gave up trying in the Thawte WoT.)
>   

I think that discussion is a little bit nonsense ... there are ways to 
break the law, so should we say because of that there is no need for the 
law? You have to set a certain barrier but if someone is willing to go 
over that barrier with enough criminal energy he can. But still, you can 
state that have taken appropriate steps to make it not too easy. 
Therefore I agree with Philipp that we need a certain point level. I 
just disagree with having different point levels for SSL and codesigning.

Regards
Jens
begin:vcard
fn:Jens Paul
n:Paul;Jens
org:CAcert Inc.
email;internet:cacert AT canyonsport.de
title:CAcert Education Officer
x-mozilla-html:TRUE
version:2.1
end:vcard