Policy-Discussion

[Eva Stöwe <eva.stoewe AT cacert.org>]

Dear Alex,

> I'm actually not against the general principle of "not sharing" - I'm
> perhaps rather more pragmatic about it 

"sharing an account" is handling multiple persons with one account -
they share it with each other and use it "as their own". (What you mix
this up with is "sharing the credentials of an account".)

It is something that is forbidden nearly everywhere where accounts (not
meaning bank accounts) come into play. Many times without any real
reasons but the idea of sharing accounts not being allowed is nothing
new and special to CAcert. I doubt that people who share accounts mostly
believe that the account giver allows for this - independent of the
context, because accounts are used to identify at least at some level
who is acting or whatever the account is for.

One of the main purpose of CAcert accounts is the identification of
persons - else assurances would be senseless.

I see no reason for your pragmatic view - only to have less work as an
arbitrator? You really want to waive the identifiable just because you
fear the work?

The people who share accounts probably have a feeling that it is not
allowed. (You know, that is what we learn everywhere else.) Assurer
TRUST that the accounts they assured are not shared. There is no reason
just because people do not care if they do something not allowed to
allow it. At least if it would break the whole RA part and the WoT!

> Please also note IanG's comment in the side-discussion that he would
> have written it as I did - so it may come to a "culture" difference -
> anglo v euro - one difference is that the anglo system tends to leave
> rather more leeway for judges (in our case arbitrators) to interpret

Either we want this or we do not want this. There is no reason to leave
room for interpretation. It helps everybody, if people are able to know
if they may share their account or private keys or not. And to know if
OTHER members are allowed to do so or not - so if they can trust as we
claim they could up to a level - our RA or not.

There is no room for interpretation if something is allowed or not.
However there may be special situations where something could be allowed
even if it is general forbidden (or the other way round). We have the
last sentence of 2.5 to cover this.

(In German criminal law it goes like this: It is defined what is
forbidden and everything that is NOT defined as forbidden is allowed.
["No penalty without a law." It is one of the most important parts of
our constitution.] But even if something is forbidden, there may be some
reason for authorisation or excuses that make it ok/allowed to do it
anyway. Those reasons are not defined in such detail it is a general
idea and has to be checked in every criminal case. Any judge has to look
out for them.

Civil law is less about what is allowed, it's mostly about who has the
right to do something and who is liable for something. There can be
quite complex constructs based on contracts but if there is no rule
based on a contract it's basically "if A hurts B and there is no good
reason why this should be ok in this case, A has to pay a compensation
to B."

So in both cases a good reason can rectify your actions.)

> I'd also rather not *totally* block unforeseen "legitimate" reasons for
> sharing an account - one such might be assistance to disabled members in
> the community (Unlike Eva, I see that as a level of sharing) and
> similarly accounts set up by parents for children (although these days
> it is probably more likely to be the other way round!) I know that we do
> have minors as members (we wouldn't need POJAM otherwise! :)  )

We have the last sentence of 2.5 for unforseen "legitimate" reasons".
And you are agaoin speaking about sharing of account credentials not
about sharing of an account. The account credentials are covered by
2.5.3 even at the current CCA.

>> I see a majority here, that agrees on not sharing accounts and keys
>> (2.3.5 and 2.5.3/2.5.4).[1]
> I see it as nearing that - again I raise a caution that any division
> appears to be euro v anglo so perhaps we need to take care that both
> sides are reasonably happy about the wording- CAcert still operates
> under anglo based law - which is where IanG and I both come from....

The wording is the second step. The first step is to decide what should
be covered.

>> Not sharing means of course the voluntary sharing.
> Not sharing = voluntaty sharing?? (I know what you mean though :)  )
>> I do not see a forced
>> (by force or law) revelation of credentials as sharing.
> I'd really, really like to see that made explicit somewhere - although I
> suspect Eva might see this somewhat differently...

Yes. It IS sharing. (But it may be excusable which needs to be
considered in any special case, anyway. And I am really against anything
that indicates that we think countries should be allowed to make such laws.)

Something like this is even not a new idea for CAcert. Look at SP. It
defines a lot of stuff. But also states what you have to do if you break
those rules, because you may have had good reasons before the Arbitrator.

>>   This is the
>> reason, I oppose the change in 2.5.4.
> Agree in principle - don't add excessive or unnecessary verbiage - KISS
> (Keep is short and simple) is a good thought. In practice I can take it
> "either way"

The discussion indicates that those 6 words seem to make a difference
for a lot of people. Adding 6 words does not violate the KISS principle
as much, but may save us, our members and people trusting CAcert
certificates a lot of trouble which should be worth it.

(Again - if we would not have this discussion I would agree with
Benedikt, but Alex fight shows me that the addition is needed.)

>> Regards,
>> Benedikt
>>
>> [1] Personally, I would not add "and not share" in 2.5.3, because the
>> clause is about Security.
> Agree - whatever is said should be in one place only - either would
> work, but 2.3 is probably a little more appropriate.

PLEASE stop to repeat this all the time. We all have agreed that it is a
repetition. Nobody cares if it is there as long as it is in 2.3.5. I
would even have removed this part of the proposal a long time ago, if it
would not have been supported by Benny and Benedikt. It was intended as
a here or there but both were supported.

Please keep to the open points. This is not an open point.

-- 
mit freundlichen Grüßen / best regards
Eva Stöwe
CAcert Assurer
CAcert Case Manager & Arbitrator
CAcert.org - Free Certificates
E-Mail: 
eva.stoewe AT cacert.org

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature