Policy-Discussion

[Teus Hagen <teus AT theunis.org>]

Question: can an assured organisation (so any employee of that
organisation with the task: do assurances)  do CAcert assurances?

In general when the word "assurer" or "assurances" are used, generally
this is meant in the context of "*individual* assurances".
For this there is the individual assurance policy (Assurance Policy and
Assurance Manual and Assurance Challenge) in place. Even the CAcert
Community Agreement is originally discussed with "individual
members/assurance" in mind.

One can write in some policy paragraphs to enable assured organisation
to do CAcert assurances (individual and organisation), ie an Assurer can
be an organisation.
There are quite some good arguments for doing so. Sam mentioned several.
However the control of assurances done by organisations is imo more
complex as well CAcert needs to define quite some "policies" or
practical rules for this. Ie quite some work.

My suggestion is to stay for this moment to the current situation: an
Assurer is an *individual* Community Member who has at least 100
Assurance Points and has passed the Assurer Challenge.

teus

On 02/14/2009 09:22 PM, Pieter van Emmerik wrote:
> I am not clear on something.
> Is it the idea that it should be possible that any employee of an
> organisation that has been assured can be acting as an assurer
> without being assured personally and without doing the assurer challange?
>
> I think that any assurer should have been assured personally (for the
> full 100 points) and should have completed the
> assurers challenge.
> An act like an assurance should be traceble to an actial person who
> has been positively identified and not to an
> abstract entety like an organisation or a non verified person.
> What I can live with is that the liability is not with the individual
> assurer but with the company in which employment
> he performed a problematic assurance.
>
> Maybe it is also a good thing to verify an assurer by checking on his
> Assurer Challenge Assurance Number,
> type in the number and get back the name of the assurer that matches
> the number, like you can do with
> for example Red Hat Certified Engineer/Technician certificate numbers.
>> Date: Thu, 12 Feb 2009 18:11:10 +0100
>> From: Sam Johnston 
>> <samj AT samj.net>
>> Subject: Re: [CAcert-Policy] Org Assurance make it now WoT Org
>>     Assurances    New WiP initiated for OAP
>> To: Policy-Discussion 
>> <cacert-policy AT lists.cacert.org>
>> Message-ID:
>>     
>> <21606dcf0902120911t4a351436q8ade63bc7d5aedb1 AT mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> On Thu, Feb 12, 2009 at 5:55 PM, Bernhard Froehlich 
>> <ted AT convey.de>
>> wrote:
>>
>>  
>>>   * IMHO Assurances should be made by people, not by organisations.
>>>     Otherwise the org could name its own Assurers. CAcert would
>>>     probably be able to insist on rules for appointing Assurers, but
>>>     what would be gained if orgs would only be allowed to select
>>>     Assurers who fulfill all Assurer requirements of CAcert?
>>>
>>>     
>>
>> This same conflict of interest exists for friends, family members,
>> etc. and
>> could easily be resolved across the board by forbidding assurance
>> e.g. where
>> a personal, family, employee, contractor etc. relationship exists.
>>
>> The gain is that assurers can do assurances as a function of their
>> employment, which is more natural than trying to create personal
>> liability
>> where there almost always is none. It is more professional and should
>> result
>> in the creation of a network of assurance points, thus making it far
>> easier
>> for users to secure themselves (no need to organise times, places,
>> etc. -
>> just rock up between 9 and 5 and get it all done in one go). Plus
>> it's still
>> more secure than commercial CA's because it's all done in person.
>>
>> Sam
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>> https://lists.cacert.org/cgi-bin/mailman/private/cacert-policy/attachments/20090212/6b82c5f1/attachment-0001.htm
>>
>> ------------------------------
>>
>>   
> Pieter van Emmerik
> CAcert assurer 000419
> ------------------------------------------------------------------------
>
> _______________________________________________
> Have you passed the Assurer Challenge yet?
> http://wiki.cacert.org/wiki/AssurerChallenge
>
> CAcert-Policy mailing list
> CAcert-Policy AT lists.cacert.org
> https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy
>