Subject: Policy-Discussion
List archive
- From: Teus Hagen <teus AT theunis.org>
- To: Policy-Discussion <cacert-policy AT lists.cacert.org>
- Subject: Re: [CAcert-Policy] TTP or remote or similar
- Date: Wed, 11 Feb 2009 16:15:31 +0100
- List-archive: <https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy>
- List-id: Policy-Discussion <cacert-policy.lists.cacert.org>
- Openpgp: id=85796A23
Some history (and please add the email exchange about WiP proposal
Remote Verificateion Policy of Pete Stephenson of 12th July 2008 as well).
The reply below is to update you on this Trusted Third Party and lengthy
discussions last year. Skip it if there is no need for the update.
On 01/19/2009 02:44 PM, Teus Hagen wrote:
> ...
> Before the restart of this thread the latest emails on this topic was
> from me:
> initiated on 07/04/2008 and rephrased on 08/14/2008 (will attach this
> email taken from my archive on this subject) in order to try to get some
> agreement on the concept of remote assurance (RA) (directed to have
> Remote Assurances via Trusted Third Parties; goal to get someone assured
> living in assurers desert land; note that this need showed up) and TTP
> (directed to have an individual to full assurer level via Trusted Third
> Party; goal to get full assurers in assurers desert land; the new
> proposed name for this was RAP with a proposal).
>
> In August 2008 there was support for the RA concept (needs to be written
> out) only by two persons. For the other only one. But for both the
> interest was far too low to be able to make any conclusion. So there was
> little motivation for me to work out the concepts into a full detailed
> policy text.
> ....
>
> The RA/TTP proposal has never been voted upon so is not in Draft at all.
> I think it is better first to decide what route we should take: RA or
> RAP/TTP (or both? really needed?).
>
> teus
>
> ....
You will find in the CAcert policies doc svn tree two proposals:
1. http://svn.cacert.org/CAcert/Policies/RemoteAssurancePolicy.html
which proposal is about getting full assurers (formally 150
points) via 2 Trusted Third Party identity checks. Effect: high
assurance points.
2. http://svn.cacert.org/CAcert/Policies/RemoteVerificationPolicy.html
which proposal is based on Pete's proposal and is about getting
assured Members with name verified by Trusted Third Party under
supervision of an Assurer (for CCA agreement reasons). Effect:
signed CCA and maintain "WoT".
Details and reasoning for proposal of Remote Verification Policy:
* Remote verification gives 10 points extra above what Assurer
maximal allocates: so range is 20-45 assurance points. Assurer
gains 2 experience points.
* Procedure dictates: max assurance points remain below 50 points
(max of policy) and at least two assurances (remote or
face-2-face) for name on cert (dictated by assurance policy).
* At least three assurance to get 100 assurance points.
* No time constraint (eg 2 TTP's within a month).
* Mixture of face-2-face and remote verification is possible.
* Verification of name (for individual the identity) is separated
from CAcert part (CCA and implications).
* TTP is supervised by the assurer, so assurer controls the TTP
(more scalable, local knowledge of assurer is used).
* In the proposed verification policy there is not much difference
between individual and organisation name verification (different
type of TTP however).
Examples:
* Using face-2-face with low experienced Assurer John I get 10
points, using verification via experienced Assurer Mary and TTP
notary sir McKie I get 45 assurance points: total is 55 assurance
points.
* Using two remote verifications via experienced assurers (who do
not need to know the "foreign" ID) I get 90 points. One extra
assurance and I reach 100 assurance points.
* Using Org Assurer Peter and a local commercial trade registrar say
CVR Peter knows which can be of help and the organisation gets
assured to 45 assurance points, one extra OA assurance and the
name is on the cert.
So far there has been three policy email list members in favor of the
Verification Policy concept. Still the amount is not much....
How to proceed:
If you have remarks about spelling, style, small re-arrangements in
text, etc. please put them in the svn document.There is no need to
discuss them....
If things need to be cleared up, say so.
If you have comments, Ayes, Nayes please provide them, so conclusions on
acceptance of text parts and feasibility of one of the proposals can be
drawn, or even on text parts.
If you have improvements of text provide them clear: old text and the
alternative.
Only with feedback from you we are able to proceed.
Try to be consice in order not to delay this too much anymore.
teus
- Re: [CAcert-Policy] TTP or remote or similar, Teus Hagen, 02/11/2009
- Re: [CAcert-Policy] TTP or remote or similar, Sam Johnston, 02/11/2009
Archive powered by MHonArc 2.6.16.