Subject: Policy-Discussion
List archive
Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC
Chronological Thread
- From: maurice Kellenaers <maurice AT gkbikes.com>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC
- Date: Thu, 16 Oct 2008 07:34:14 +0200
- List-archive: <https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
Sam Johnston wrote:
On Thu, Oct 16, 2008 at 10:39 AM, Philipp Dunkel <p.dunkel AT cacert.org <mailto:p.dunkel AT cacert.org>> wrote:I think that sub-roots are the best way.
I think you hit the nail on the head when you talked about an
employee "contracting themselves in the line of duty". That is a
key issue.
For that reason I want to propose the following change to the
OA-Policy:
The organisation is the entity in contract with CAcert. As such
the organisation is responsible for all certificate use and the
safe-keeping of private keys. All the duties that apply to
individual members under CCA have to be kept up by organisations
as well. So it's like the Organisation IS the member.
@Sam: Do you understand what I mean (at 4:40 in the morning)? Can
you try to rephrase that idea in a way that makes sense in the OA
policy so we can have a votable proposal for this?
I've been working on kicking off a separate OA thread so as not to risk derailing this discussion but this is certainly one of the things to be addressed; aligning ourselves with reality and hopefully giving users a path to becoming fully fledged members without forcing it on them (which is a non-starter in an organisational environment). It also strays over to the previous decision about organisations not being assurers, but that still essentially holds. I still worry about diluting the value of CAcert by issuing certs (with CAcert as the issuer) which our members have not 'directly' verified too - sub-roots were designed for this and a small amount of additional complexity in terms of creating and storing per-org roots is justified IMO (they're just a few extra fields in a database or some extra files after all).
The organisation is the-man-in-the-middle. CAcert issues to the organisation, the organisation to it's employee's/servers.
Anyway, more on that later.
FWIW I don't think 'evaluated' is appropriate in this context; it's derived from the word 'value' in terms of assigning a value to something. Verified is both appropriate and well understood (cf mozilla policy wording which uses 'verified' extensively).
Sam
On 2008-10-16, at 04:13, Sam Johnston wrote:
On Thu, Oct 16, 2008 at 10:06 AM, Elwing
<lraderman AT elwing.org
<mailto:lraderman AT elwing.org>>
wrote:
>
> Putting the Org Assurance Officer hat on for a second,
we've just
> blown the program out of the water. That's OK because it
was broken,
> but we don't want to bite the early adopters too hard.
Emails are
> always verified so they can be included and org info is
verified too
> so it can go in, but to get names in their certs they will
need to
> use the standard assurance program for now (eg org admins
or other
> assurers verify IDs and apply 50 points). The reality is that
> organisations need to be able to put names in certs en
masse, and
> there isn't really any decent options short of running your
own CA
> and paying 6 figures for a CA cert. Again I think we should
leave
> the door open with something like the 'verified by issuer'
wording
> previously discussed.
I see nothing wrong with requiring org members to be Assured by
someone within their company (using Assured in the CA Cert
Assurer
sense) - heck, it could be the HR people that verify ID and
other work
documents. It just becomes part of the onboarding process
for those
Orgs. Yes, any initial en masse issuance will require
special steps,
but it would anyway - since someone has to tell these workers
that
they've got to go sign up for a CACert.org account.
It's a satisfactory interim measure but there are some problems
with it, such as requiring individuals to contract themselves 'in
the line of duty'. There is typically diminished personal
responsibility when acting as an employee so we really need to
get a (legal) handle on the organisation itself and consider the
admins agents of that organisation. It also raises some privacy
issues (eg data collection and storage by individuals within the
organisation) and perhaps most importantly, it just doesn't scale.
Again, we just have to say what we do and do what we say so it's
ok to give orgs what they've been missing out on for all these
years, but we need to be a bit more careful about how we go about
it than we have been thus far.
Sam
_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge
CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
<mailto:CAcert-Policy AT lists.cacert.org>
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
---
Philipp Dunkel
p.dunkel AT cacert.org
<mailto:p.dunkel AT cacert.org>
---
Your reality and mine may not entirely coincide. Therefore you may
not rely on this message meaning what you believe it means. ---
_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge
CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
<mailto:CAcert-Policy AT lists.cacert.org>
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
------------------------------------------------------------------------
_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge
CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes 21 October 12pm UTC, Philipp Dunkel, 10/15/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes 21 October 12pm UTC, Elwing, 10/15/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes 21 October 12pm UTC, maurice Kellenaers, 10/18/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Lambert Hofstra, 10/15/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Elwing, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Philipp Dunkel, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Philipp Dunkel, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Philipp Dunkel, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, samj, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/20/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/20/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Philipp Dunkel, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Philipp Dunkel, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, maurice Kellenaers, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Elwing, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes21 October 12pm UTC, Sam Johnston, 10/16/2008
- Re: [CAcert-Policy] CPS bugs. Vote please. Colosing date of votes 21 October 12pm UTC, Elwing, 10/15/2008
Archive powered by MHonArc 2.6.16.