Policy-Discussion

[Pieter van Emmerik <pemmerik AT home.nl>]

I am not clear on something.
Is it the idea that it should be possible that any employee of an 
organisation that has been assured can be acting as an assurer
without being assured personally and without doing the assurer challange?

I think that any assurer should have been assured personally (for the 
full 100 points) and should have completed the
assurers challenge.
An act like an assurance should be traceble to an actial person who has 
been positively identified and not to an
abstract entety like an organisation or a non verified person.
What I can live with is that the liability is not with the individual 
assurer but with the company in which employment
he performed a problematic assurance.

Maybe it is also a good thing to verify an assurer by checking on his 
Assurer Challenge Assurance Number,
type in the number and get back the name of the assurer that matches the 
number, like you can do with
for example Red Hat Certified Engineer/Technician certificate numbers.
> Date: Thu, 12 Feb 2009 18:11:10 +0100
> From: Sam Johnston 
> <samj AT samj.net>
> Subject: Re: [CAcert-Policy] Org Assurance make it now WoT Org
>         Assurances      New WiP initiated for OAP
> To: Policy-Discussion 
> <cacert-policy AT lists.cacert.org>
> Message-ID:
>         
> <21606dcf0902120911t4a351436q8ade63bc7d5aedb1 AT mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Thu, Feb 12, 2009 at 5:55 PM, Bernhard Froehlich 
> <ted AT convey.de>
>  wrote:
>
>   
> >   * IMHO Assurances should be made by people, not by organisations.
> >     Otherwise the org could name its own Assurers. CAcert would
> >     probably be able to insist on rules for appointing Assurers, but
> >     what would be gained if orgs would only be allowed to select
> >     Assurers who fulfill all Assurer requirements of CAcert?
> >
> >     
>
> This same conflict of interest exists for friends, family members, etc. and
> could easily be resolved across the board by forbidding assurance e.g. where
> a personal, family, employee, contractor etc. relationship exists.
>
> The gain is that assurers can do assurances as a function of their
> employment, which is more natural than trying to create personal liability
> where there almost always is none. It is more professional and should result
> in the creation of a network of assurance points, thus making it far easier
> for users to secure themselves (no need to organise times, places, etc. -
> just rock up between 9 and 5 and get it all done in one go). Plus it's still
> more secure than commercial CA's because it's all done in person.
>
> Sam
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy/attachments/20090212/6b82c5f1/attachment-0001.htm 
>
> ------------------------------
>
>   
Pieter van Emmerik
CAcert assurer 000419

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature