Policy-Discussion

[Ian G <iang AT cacert.org>]

On 21/10/2009 15:58, Faramir wrote:

> > > We have talked about extending the "TVerify" Policy, or perhaps more
> > > properly, a "Third Party Certificate" Policy, to include either
> > > different policies for various CAs or perhaps a list of CAs that can
> ...
>
> > Right.  Just to add to that; it is not out of the question that we rely
> > on the results of other CAs without an agreement and without an audit.
> > For years we have been doing exactly that with passports, etc, issued by
> > various government "CAs" a.k.a. passport issuing offices.  We haven't
> > got an agreement with them nor have we audited them.
>
>    As an example of possible usages of that "other CA verify": in my
> country, the law about digital signatures talk about 2 different
> signatures: "simple electronic signature", which can be anything that
> allows to identify the sender's identity (it says it can be a sound, an
> image, etc. but I think the only practical implementation is something
> like PGP, or digital certificates), and "advanced electronic
> signatures", which mean a digital certificate from an accredited CA.


Ah, I didn't know that!  Possibly we would need to compare and contrast, 
but at first look, this looks like the EU eSigning model (although the 
terms are a bit reversed :)

   * "advanced digital signature" is anything with a signature and a 
name, more or less.  So PGP, but also maybe "iang" at the bottom.
   * "qualified certificate" is the regime where by CAs as registered 
with the government department issue certificates that can create 
signatures that are approved to be "accepted as equivalent to a 
hand-written signature."

CAcert is in the first category.


>    CA's are accredited by the minister of economy, and the list is very
> short. I think it also requires enhanced security measures, like the
> certificates stored in encrypted tokens. It is the only kind of
> signature valid to be used in "public documents", and has legal value of
> "full proof" (I hope I'm translating it right, I'm not familiar with
> legal terms).
>    I think CAcert can trust without any doubt these "accredited CA's",
> but I am NOT proposing CAcert should trust them... this is just an example.


Nod.

>    By the way, if I understood chilean law right, even signatures from
> self signed certificates can be considered as valid as handwritten
> signatures, if the court decides so. But certainly, I can have
> understood it wrong.


Yes.  This is one of those widely misunderstood things about signatures. 
 The fundamental question isn't about the mark or the digsig or the 
tech or the smarts... it is about

     *whether the person agreed*

And the sig is "just" a secondary indicator of that.  Consequently a 
court can decide that a person did not agree, even if the signature is 
clearly correct.  And that the person did agree, even if the signature 
is bad.

This question of "whether the person agreed" is commonly mistaken for 
"is the signature good" and also "did the person sign."  These latter 
two are not the essential questions, just pointers to the essential 
question.



iang