Policy-Discussion

[Sam Johnston <samj AT samj.net>]

Going back to basics, organisations need certificates:

• for technical use in ensuring confidentiality/integrity
• to associate their legal entity with others (eg employees, officials, contractors, suppliers like accountants, etc.), presumably so they can act on their behalf (eg accountant submitting tax return on behalf of org)
• to identify individuals by name

The last point is a very distant third as the organisation can always resolve the certificate back to the subject it was issued to (even if others can't).

This needs to work on a large scale, e.g. by uploading HR databases (which are notorious for being corrupt or at least, corruptable) or by 'blessing' entire domains for self-provisioning.

Delivering all three on a large scale means applying policies to the HR database with a view to bringing it into line with reality (i.e. introducing an ID check where there may currently be none) and then ideally issuing certificates with the organisation rather than CAcert as the issuer (see previous discussions about managed sub-roots etc.).

Alternatively you just detach the assurance component altogether, dispense with the OrgAdmin hurdles (100 points, CATS, etc.) and take the 'teeth' out of OA by forbidding them from assuring individuals altogether, rather just create associations to them via 'blessed' domains and/or email addresses. When someone successfully completes a probe with a 'blessed' email they will be given the option to include the organisation name in the certificate. If they want names as well they can follow the usual processes.

The point is that if orgs are capable enough to assure their own people en-masse then why not allow them to assure others too?

Sam

On Mon, Feb 23, 2009 at 2:59 PM, Teus Hagen <teus AT theunis.org> wrote:

On 02/20/2009 07:10 PM, Sam Johnston wrote:
> Actually this doesn't very well represent my suggestion in that I
> never suggested that *any* employee should be able to do assurances,
> rather only the OrgAdmins who already have 100 points and who have
> done the CATS.

....

       teus wrote and Ted ack'd it:

       My suggestion is to stay for this moment to the current
       situation: an
       Assurer is an *individual* Community Member who has at least 100
       Assurance Points and has passed the Assurer Challenge.

   ....

This is there to avoid that we get for the moment discussions about the
semantics of: an Organisation is a CAcert Community Member so as such
the organisation can do assurances when the organisation has more as 100
assurance points.... (the (only) discrimination factor between
"individual" and "organisation Members).

>
> They are already assuring employees of the organisation en-masse in
> the name of the organisation (since that's the way it works when
> you're an employee - virtually everything you do is on behalf of your
> employer) so the suggestion was

I have some trouble to understand what Sam is trying to say here:

> to allow the organisation to similarly bless members of the general
> public with assurance points.

The O-Admin as Assurer can assure (verify ID and ack the CAcert Comm.
Agreement mark) of an individual (one out of the general public) and
provide assurance points...
or
Some person in the organisation does the face-2-face ID check (e.g. it
is his job within the organisation as eg human resource department?) and
the O-Admin does the CCA mark/form as Assurer. All together a Trusted
Third Part Verification Programme act ( :-) ) ?

For me it is not clear what you want to suggest.


teus
>
> Sam

>
_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge

CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy