Policy-Discussion

[Sam Johnston <samj AT samj.net>]

On Wed, Feb 11, 2009 at 4:15 PM, Teus Hagen <teus AT theunis.org> wrote:

You will find in the CAcert policies doc svn tree two proposals:

  1. http://svn.cacert.org/CAcert/Policies/RemoteAssurancePolicy.html
     which proposal is about getting full assurers (formally 150
     points) via 2 Trusted Third Party identity checks. Effect: high
     assurance points.
  2. http://svn.cacert.org/CAcert/Policies/RemoteVerificationPolicy.html
     which proposal is based on Pete's proposal and is about getting
     assured Members with name verified by Trusted Third Party under
     supervision of an Assurer (for CCA agreement reasons). Effect:
     signed CCA and maintain "WoT".

Why, given our extremely limited resources, are we reinventing the wheel? I spent a *lot* of time working on the RAP at the start of last year and it seems it is largely similar to the RVP which popped up months later. The latter doesn't even render in either of my browsers because of some XML error but if I remember well it was based on the former, only rather than specifically tackling the problem of assurer deserts (that is, having a strong process for bootstrapping new territories) it provides a mechanism to bypass the WoT en-masse... something we had hoped to avoid if I remember well.

I'm going to abstain from the decision anyway, if only because if the recent OA discussion is any indication you'll press on with whatever you want anyway, but I will say that relying on on other commercial IdPs and CAs en-masse and then extending this with a WoT makes us *less* secure than them, not more.

Sam
 

Details and reasoning for proposal of Remote Verification Policy:

   * Remote verification gives 10 points extra above what Assurer
     maximal allocates: so range is 20-45 assurance points. Assurer
     gains 2 experience points.
   * Procedure dictates: max assurance points remain below 50 points
     (max of policy) and at least two assurances (remote or
     face-2-face) for name on cert (dictated by assurance policy).
   * At least three assurance to get 100 assurance points.
   * No time constraint (eg 2 TTP's within a month).
   * Mixture of face-2-face and remote verification is possible.
   * Verification of name (for individual the identity) is separated
     from CAcert part (CCA and implications).
   * TTP is supervised by the assurer, so assurer controls the TTP
     (more scalable, local knowledge of assurer is used).
   * In the proposed verification policy there is not much difference
     between individual and organisation name verification (different
     type of TTP however).

Examples:

   * Using face-2-face with low experienced Assurer John I get 10
     points, using verification via experienced Assurer Mary and TTP
     notary sir McKie I get 45 assurance points: total is 55 assurance
     points.
   * Using two remote verifications via experienced assurers (who do
     not need to know the "foreign" ID) I get 90 points. One extra
     assurance and I reach 100 assurance points.
   * Using Org Assurer Peter and a local commercial trade registrar say
     CVR Peter knows which can be of help and  the organisation gets
     assured to 45 assurance points, one extra OA assurance and the
     name is on the cert.


So far there has been three policy email list members in favor of the
Verification Policy concept. Still the amount is not much....

How to proceed:
If you have remarks about spelling, style, small re-arrangements in
text, etc. please put them in the svn document.There is no need to
discuss them....
If things need to be cleared up, say so.
If you have comments, Ayes, Nayes please provide them, so conclusions on
acceptance of text parts and feasibility of one of the proposals can be
drawn, or even on text parts.
If you have improvements of text provide them clear: old text and the
alternative.

Only with feedback from you we are able to proceed.
Try to be consice in order not to delay this too much anymore.

teus

_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge

CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy