Policy-Discussion

[Iang <iang AT iang.org>]

Lambert.Hofstra AT ins.com
 wrote:

> >     * Do we want increased traceability, with official prosecution in
> >       mind? That is, a replacement/modification/extension of the ID copy
> >       required till lately.
> >   
> Traceability: I'd say yes, but would depend on what this entails.


This is a key question that bedevilled the earlier debate. 
 Yes, Traceability was wanted, but no, we didn't know what for.

The new Assurer Policy (wip) says something different 
(today).  It suggests:

=================================
The Statement

The following claims can be made about a person who is assured:

   1. The person is a bona fide CAcert User. In other 
words, the User is a member of the CAcert Community, as 
defined by the CAcert Community Agreement.
   2. The User has a login account with CAcert's online 
registration and service system.
   3. The User account can be determined from any 
certificate issued by the account.
   4. *The User is bound into CAcert's Arbitration*.
   5. Some personal details of the User (name, email, etc) 
are known.

The confidence level of the Statement is expressed by the 
Assurance Points.
=================================

The key part to look at is Claim 4, which says that CAcert's 
Arbitration rules.  Now, this can bring the person before an 
Arbitrator.  That Arbitrator can rule up to 100 Euros of 
fines, etc.  The Arbitrator can also do other things, 
without particular limit, see below.


> Official prosecution: not by CAcert, the only thing CAcert could do is 
> provide name, email address, and DOB of the person owning a certificate, and 
> only after a court order.


I would have said:

CAcert's Arbitrator can do things like provide a name, an 
email, DOB, and any other info that is permitted.  If for 
example, the CAcert Arbitrator finds sufficient evidence of 
some wrong doing, the Arbitrator can strip the person's privacy.

The subtlety is that someone has to be able to do those 
things.  Who can't do those things is CAcert, or the systems 
administrator or the support people, or the Assurer, because 
they are not authorised to do that.

(You may question whether the Arbitrator can reveal the 
names, etc without a court warrant.  One general standard of 
behaviour is;  if it is civil, probably not.  If it is a 
crime, probably yes.)



Now to bring us back to traceability.  In the above context, 
traceability might be an added benefit (maybe!) but the 
essence of traceability must still be seen in the forum of 
Arbitration.

Can we better bring this person before Arbitration?  Does 
traceability help that?


> I think we have to define what should be in the CSC: just a name or the 
> official name as written on the official ID  (For Organisations the official 
> name of the organization), and maybe the email address (is it in there right 
> now? I noticed most CSC's do not include email address), probably name of the 
> application (to prevent others to sign malicious code with a stolen CSC), 
> anything else?
> Windows shows Name of signer (Subject:CN?), Email address, Timestamp) as the digital signature details of a signed executable. 
> I vote: Yes
> Yes: Ted


If you followed the above argument (debateable still!) then 
you will see that there is another answer for what is needed 
in the CSC:

    No PII at all needed.

As long as the CAcert Arbitrator can take the cert's unique 
number and identify the person, that's fine.  All disputes 
find their way to the Arbitrator, in one way or another. 
See 3. above.


> No:
> >     * Do we want an additional agreement of the applicant? Something
> >       like she is no bad gal or that he knows that signing binaries
> >       impose additional risks/obligations.
> >   
> Yes: Lambert, Ted
> No:


I'm interested to hear your logic why?  What would that 
agreement impose?


> >     * Do we want additional education of the applicant, something like
> >       the Assurer Challenge for code signers?
> >   
> Hmm, I guess a simple test would do no harm (would show that CAcert is taking 
> this serious, and that CSC's are only given to those that understand the 
> impact)
> So: Yes
> Yes:
> No:


OK.  Others?

iang