Policy-Discussion

[Eva Stöwe <eva.stoewe AT cacert.org>]

> 3.3 is OK with the policy solution *provided* that a policy is "in
> place" - I have issues and concerns if it is left undefined - including
> that it may well be problematic with various countries legislation on
> unfair contracts (many countries require it to be clear how a contract
> may be terminated.) As a first pass, why not (at least for the time
> being) define the termination policy as "Only an arbitrator may
> terminate this agreement" and return to it later.

because it is not possible for the case of death, arbitration requires
us to define something else here....

> 2.5a discussions also focussed in on sharing of accounts - with a fairly
> even split between "should not" (and making the consequences clear) and
> "must not"! NB Account <> Keys.

The consequences for the member are clear: up to 1000€.

The consequences for everybody else if keys are shared are unpredictable
and can reach quite far, we cannot define this.

There is absolutely no reason to do a "should not" instead of a "must
not" because it does not help anything. Either a "must not" (with the
last sentence of 2.5 in place) or nothing, since "we think it is a bad
idea" just does not change anything and is worse than leaving it out.

There is also no reason for sharing of an account (assisting someone
with the access for example because of medical reasons is not sharing!).
It would contradict the ideas of our accounts, the definition of a
member in CCA and the idea of AP. It also contradicts our privacy and
security ideas of not sharing personal information (in the case of
assurances) and to keep precautions that someone else can impersonate
oneself.

Accounts do not cost anything, one even can have multiple ones for
different contexts or whatever.

> 2.5b Various countries - certainly including UK and US (and I think AU)
> have legislation in place that can enforce surrender of keys allegedly
> for anti-organised crime and anti-terrorism reasons in their
> legislation. Given this, *I'd prefer not to add such a clause*, although
> I could "live with it under protest". If such a clause is put in place,
> I'd suggest that this perhaps needs to be considered, and that direction
> be given to clarify what action a member of the community should take it
> it did. I also think we would be on "dodgy ground" if such legislation
> applies to NSW-AU as we take that as our "governing law"!

Those laws are part of the reason why people not living there (and
probably also people living there) come to CAcert for certificates,
because it is one of the few CAs not based in the USA so that such laws
are not the basis of the CA. And our RA is spread out so that it cannot
be affected as easily by such laws.

If this would really be an issue we may even have to consider to move
away from NSW-AU law because of ideas like:

SP 9.1.6.

"Security

It is the responsibility of all individuals to observe and report on
security issues. All of CAcert observes all where possible. It is the
responsibility of each individual to resolve issues satisfactorily, or
to ensure that they are reported fully."

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe
CAcert Assurer
CAcert Case Manager & Arbitrator
CAcert.org - Free Certificates
E-Mail: 
eva.stoewe AT cacert.org

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature