Policy-Discussion

[Grégoire Sandré <gregoire.sandre AT free.fr>]

Dear Eva,

>"2.5  Security 
>
>CAcert exists to help you to secure yourself. You are primarily responsible 
>for your own security. Your >security obligations include 
>1. to secure yourself and your computing platform (e.g., PC), 
>2. to keep your email account in good working order, 
>3. to secure and not share your CAcert account (e.g., credentials such as 
>username, password), 
>4. to secure your private keys, 
>_ensuring_attributability_to_their_intended_context, 
>5. to review certificates for accuracy, and 
>6. when in doubt, notify CAcert, 
>7. when in doubt, take other reasonable actions, such as revoking 
>certificates, changing account >credentials, and/or generating new keys. 
>
>Where, above, 'secure' means to protect to a reasonable degree, in 
>proportion with your risks and the risks >of others."

I can only support what I understand as (4), the addition of care for 
non-repudiation and accountability in this security part. If I was able to do 
it, I would reword it as this phrase did not sound to me as clear as other 
parts of the CCA, but I did not find better.

I propose to append something about requiring to take reasonable actions to 
not threat security of Cacert assets. I could have missed it, but did not 
find it in CCA. As a base I propose, 

"Your security obligations also include taking reasonable actions to not 
increase threat level on means provided by Cacert."

Regards.

Grégoire.

Attachment: smime.p7s
Description: S/MIME cryptographic signature