Policy-Discussion

[Ian G <iang AT cacert.org>]

Hi Dieter,

I'd have to agree with Mark's remarks here.

On 24/03/2010 13:30, Dieter Hennig wrote:
> Dear Mark,
>
> Mark Lipscombe schrieb am 24.03.2010 01:52:
> > On 3/24/2010 11:47 AM, Andreas Bürki wrote:
> > > Thoughts at random:
> > >
> > > *    Why multi-member approach is not more focused on organizations?
> > >           *    CAcert ORGA assured organizations are CAcert members as well
> > >           *    Organizations will probably "live" longer than an human member
> > >           *    Organizations have very often something to loose, at least
> > > their reputation.
> > >           *    Organizations have very often the physical infrastructure
> > > to protect root keys
> > >
> > > And, yes of course, such organizations could be well known and serious
> > > universities, which are member of CAcert
> >
> > In amongst this though is the fact that organisations are not real
> > people.  They can't lock or unlock a safe, they can't remember a
> > passphrase and they are subject to morphing over time with different
> > motives.  For an organisation to do something, it must use real people,
> > and then we have an additional layer that disconnects us from those real
> > people.
> >
> > In reality, people usually outlive all but the biggest organisations.
>
> Not for me. ETH is more then 150 years old, I'm not. You?  I would
> really guess, that your "usually" is absolutely wrong (sorry, if you
> prefer exit 1), and if you would be 150 years old, also you would pray
> about to be wrong too.

Well, he's talking about the average;  most organisations don't last 
that long, and are often reformed in ways that humans don't have to 
suffer.  E.g., does anyone know what Nokia started out doing?  This gets 
played out in the CA world quite frequently when one CA is using the 
root it bought from a bankrupt CA...

Of course there is the "long tail" of long-lived organisations.  If age 
is the criteria, then let's ask the Vatican.


> > There is also still the problem of making a long stretch to define "CA
> > personnel" to mean CAcert member.
>
> No again, please consider:
>
> a.) organisation-member means, that for the University of Zurich the
> Rektor make a decision, for the ETH the Vice-president was doing it.
> This is the highest level you can reach for scientific problems here, if
> you are not following living Nobel price winners directly.


There seems to be a mismatch here.  The original thread started out by 
talking about "any organisation who is Orga-assured."  Now it is 
migrating to a specific org, about ETH.  Different things, really.

Now, it could be that we could write some policy as to how to place 
various of the roles in the hands of Orgs.  But that would have to be 
done ... and it would need a fair bit of thinking.  For example, if we 
started from scratch, we might take ETH as a starting point, and then 
look around for more qualifications.

That would be the process of narrowing "any Org" down to "specific 
Orgs."  So for example, we might end up with a list of 10 orgs which we 
consider possibilities:  ETH, NSA, Vatican, Bank of England, etc etc, 
all long-lived and good at security & secrecy.

The current posture however (backed by some discussions in the past, 
e.g., whether an Org can be an Assurer) is that the roles are all 
Natural Persons.  Hence, not Orgs.


> b.) we have a "Sicherheistabteilung" (security department) which is
> independent of IT-Services. (Because, we have chemistry too, today we
> believe, chemistry is save, but in the older days, ... )
>
> http://www.immobilien.ethz.ch/sgu/
>
> c.) We have "Kulturgüterschutz"
>
> http://www.kgs.ethz.ch/
>
> which is absolute independent of IT-Services. This is really very
> special, like "Geheimes Staatsarchiv", but more important (and with
> quite more money, as I practical know) like in the other (German
> speaking) countries. People there are really do long time archiving. And
> most important, they pay for it. They really fulfill Thomas Mann's
> decisions. No doubt about.
>
>
> d.) If we are an org-member, all other employees could be CAcert members
> as private persons. But (good for CAcert) nobody other can act as an
> org-member for our approved domains.


On this point:  our preference has been:  get those people who are 
involved to be Assurers.  Then no need to worry about the Org issue.


> e.) Please, do not oversee the interest we have: We deploy
> CAcert-root-certificate to around 10.000 desktop computers, we would
> like to use CAcert as a second source for all our SSL-certificates (I
> would guess 1000 of them end of 2010). Second source means: 50%. And we
> have a long term interest about this.
>
> f.) We would educate people about SSL-certificates, and really, we think
> about to (and do) limit the Mozilla- and MS-store.
>
>
> Be fair, let us know, what to do more. But please, influence your
> government too. We are all the same boot-people. We have to do our best,
> at least I try (please forgive my mistakes, I done). It is clear, I have
> to fulfill some political border conditions, to speak in terms of
> differential equations. As long as this is not influence CAcert.org,
> there is no conflict of interest at all.


I'm sure that these Orgs can play a part, but I personally would be 
looking at the people not the Org.



iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature