Policy-Discussion

[Eva Stöwe <estoewe AT cacert.org>]

Dear Alex, dear List,

>>>> 2.5b Various countries - certainly including UK and US (and I think AU)
>>>> have legislation in place that can enforce surrender of keys allegedly
>>>> for anti-organised crime and anti-terrorism reasons in their
>>>> legislation. Given this, *I'd prefer not to add such a clause*,

here is another approach for 2.5:

There are a lot of countries - including probably US and UK - that try
to avoid that business secrets of "their" companies are stolen so that
business rivals could profit from them.

There are a lot of countries that forbid - including US and UK -
employees of the state to share secrets they learned during that
employment. (For US think about Manning or Snowden.) At least I had to
swear an oath to not share some kind of information to outsiders and it
was only a student job at the university.

My country - and probably every other country - would not accept any
other country to just state that they have a right to learn said secrets
and that one has to provide everything with which one protects those
secrets. If I would share those secrets I would be legally responsible
before local courts - (a false oath is worth at least 1 year in jail in
Germany - I'm not sure if this would apply in this context but there are
other laws for employees of the state as well that speak about jail).

Now for another gedankenexperiment. Consider you have a big company who
issues some certificates to their employees with which those employees
should communicate to keep the business secrets secure. Than you learn
that one of your employees has shared his key with an employee of a
rival and the rival beats you in a competition and you lose big numbers
of money because of the rival knew what you planned and where your weak
points where. I think you would sack said employee and you would sue him
for this. You probably would win this case, even if the employee defends
herself saying that she was told to do so or that she even had to do so
by the rival.

So even if one country declares that one has to share everything with
them, this will be illegal everywhere else and following this can lead
to quite harsh legal issues everywhere else.

Sharing keys and by this secrets (even "unimportant" details can make a
big difference) is banned more or less in every context and one has to
expect harsh punishment for it.

Why should it be different within CAcert? Why should we state that we
allow to do so - with only saying "should not"?

If a "must not" would be unfair and unsensible in any given situation
there is arbitration to help. As people love to have it for more or less
everything else.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe
CAcert Assurer
CAcert Arbitrator & Case Manager
CAcert.org - Free Certificates
E-Mail: 
estoewe AT cacert.org

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature