Policy-Discussion

[Benedikt Heintel <benedikt AT cacert.org>]

Dear Alex,

Can we agree, that you are okay with the concept with not sharing keys
but not okay with not sharing accounts?

I see a majority here, that agrees on not sharing accounts and keys
(2.3.5 and 2.5.3/2.5.4).[1]

Not sharing means of course the voluntary sharing. I do not see a forced
(by force or law) revelation of credentials as sharing. This is the
reason, I oppose the change in 2.5.4.

Regards,
Benedikt

[1] Personally, I would not add "and not share" in 2.5.3, because the
clause is about Security.

Am 27.05.2014 22:05, schrieb Alex Robertson:
> Quick response....
> 
> Account <> keys
> 
> As far as I am aware, you cannot get the keys from an account - you can
> get new certificates but they would normally have their own keys
> generated by whatever cryptographic algorithm
> 
> Keys are a separare issue and may need separate rules.
> 
> The clause in 2.5 was specifically about "Account Sharing"
> 
> Regards
> 
> Alex
> 
> 
> On 27/05/2014 20:49, Eva Stöwe wrote:
>> Dear Alex, dear List,
>>
>>>>>> 2.5b Various countries - certainly including UK and US (and I
>>>>>> think AU)
>>>>>> have legislation in place that can enforce surrender of keys
>>>>>> allegedly
>>>>>> for anti-organised crime and anti-terrorism reasons in their
>>>>>> legislation. Given this, *I'd prefer not to add such a clause*,
>> here is another approach for 2.5:
>>
>> There are a lot of countries - including probably US and UK - that try
>> to avoid that business secrets of "their" companies are stolen so that
>> business rivals could profit from them.
>>
>> There are a lot of countries that forbid - including US and UK -
>> employees of the state to share secrets they learned during that
>> employment. (For US think about Manning or Snowden.) At least I had to
>> swear an oath to not share some kind of information to outsiders and it
>> was only a student job at the university.
>>
>> My country - and probably every other country - would not accept any
>> other country to just state that they have a right to learn said secrets
>> and that one has to provide everything with which one protects those
>> secrets. If I would share those secrets I would be legally responsible
>> before local courts - (a false oath is worth at least 1 year in jail in
>> Germany - I'm not sure if this would apply in this context but there are
>> other laws for employees of the state as well that speak about jail).
>>
>> Now for another gedankenexperiment. Consider you have a big company who
>> issues some certificates to their employees with which those employees
>> should communicate to keep the business secrets secure. Than you learn
>> that one of your employees has shared his key with an employee of a
>> rival and the rival beats you in a competition and you lose big numbers
>> of money because of the rival knew what you planned and where your weak
>> points where. I think you would sack said employee and you would sue him
>> for this. You probably would win this case, even if the employee defends
>> herself saying that she was told to do so or that she even had to do so
>> by the rival.
>>
>> So even if one country declares that one has to share everything with
>> them, this will be illegal everywhere else and following this can lead
>> to quite harsh legal issues everywhere else.
>>
>> Sharing keys and by this secrets (even "unimportant" details can make a
>> big difference) is banned more or less in every context and one has to
>> expect harsh punishment for it.
>>
>> Why should it be different within CAcert? Why should we state that we
>> allow to do so - with only saying "should not"?
>>
>> If a "must not" would be unfair and unsensible in any given situation
>> there is arbitration to help. As people love to have it for more or less
>> everything else.
> 
> 

-- 
Benedikt Heintel - 
benedikt AT cacert.org
CAcert Assurer for People & Organizations
CAcert internal Auditor

CAcert.org - Secure Together
http://www.cacert.org

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature