Policy-Discussion

[Brian McCullough <bdmc AT bdmcc-us.com>]

On Thu, Oct 15, 2009 at 07:40:31PM +0200, J. Steijlen wrote:
> I should have added a smiley there then.
> 
> But Cédric has a government issued certificate, not a Thawte.
> Can he still use it? (Your reply focuses a tad heavy on Thawte
> certificates.)


Sorry.  I missed that, since you started out talking about TVerify.  

We have talked about extending the "TVerify" Policy, or perhaps more 
properly, a "Third Party Certificate" Policy, to include either different 
policies for various CAs or perhaps a list of CAs that can be treated in the 
same manner.  The discussion tends to revolve around the question, and this 
came up first for Thawte ( Verisign ) themselves, of how much does the CA 
validate and verify their customer, and then, how much we can depend on that 
validation.  Not being able to enter into "cross-validation" agreements with 
most of these entities causes us to have to ask how much we "trust" others in 
general, and how much faith we can place in their processes without being 
able to include those processes in our own Audit.

Ultimately, we have to depend on our own Policies and Practices, and so, the 
Assurances that CAcert Assurers make have the most weight.  On the other 
hand, if someone is in a place that has not yet acquired enough CAcert 
Assurers to make Face-To-Face meetings practical, this might provide a way of 
"seeding" that area.

Until the 16th, the TVerify process might be a way to acquire a pool of new 
Assurers who may have some knowledge of the general principles of a Web of 
Trust and such Assurances and be willing to become properly trained CAcert 
Assurers.


Brian


P.S. I have added Ian G. to this message, although he is likely to have seen 
it in the Policy List.

B-)