Policy-Discussion

[Eva Stöwe <eva.stoewe AT cacert.org>]

Dear Uli,

On 02.03.2016 14:30, Ulrich Schroeter (CAcert) wrote:
>>  But: Something being against the AP IS a KO criterium. As the AP tells
>  >  us that a Sub-Policy may not violate the AP.
> 
> Bullshit!!
> 
> AP 6   defines the procedure an topics for any enhancements to AP
> Including exceptions.
> The requirement for this is:
>       => It must describe exceptions and potential areas of risk.
> 
> 6.2. High Risk Applications   give some ideas of enhancements
> And variations, but is not limited to it as the definitions
> have to be set in subsidiary policies

Please read carefully:

"6. Subsidiary Policies
[...] Subsidiary Policies specify any additional tests of knowledge
required and variations to process and documentation,
_within_the_general_standard_stated_here."

==> The standards defined in the AP may not be reduced. Only additional
requirements may be added (or maybe something may be replaced by a
comparable requirement, as long as it holds up the standard defined in
the AP.

"6.1. Standard
Each Subsidiary Policy must augment and improve the general standards in
this Assurance Policy. It is the responsibility of each Subsidiary
Policy to describe how it maintains and improves the specific and
overall goals. It must describe exceptions and potential areas of risk."

==> If at all a Sub-Policy may only improve the standard. If special
risks are there, those risks have to be named and it has to be named how
the standards of the AP are hold or improved -> if at all they should be
higher if there are higher risks.

"6.2. High Risk Applications
In addition to the Assurance or Experience Points ratings set here and
in other subsidiary policies, the Assurance Officer or policies can
designate certain applications as high risk. If so, additional measures
may be added to the Assurance process that specifically address the risks."

==> If there are additional risks, additional checks may be added.

At no point it says that basic standards and requirements of the AP may
be lowered or ignored by a Sub-policy.


The standrads of the AP are at least (End of AP 4.3)
" In general, for a Member to reach 50 Assurance Points, the Member must
have participated in at least two assurances, and at least one Name will
have been assured to that level.

To reach 100 Assurance Points, at least one Name of the Assured Member
must have been assured at least three times.

The maximum number of Assurance Points which can be allocated for an
Assurance under this policy and under any act under any Subsidiary
Policy (below) is 50 Assurance Points."

There are more, but just look at those.

See the difference regarding 100 Assurance Points and 50 Assurance
Points? For 50 AP it is in "general ... at least two assurances". So
here may be room for juggling with Sub-Policies.

But for 100 Assurance Points, to become an assurer, there is no "in
general" it is "at least three times". This and nothing else.

This is a standard that HAS to be maintained if not improved by the
Sub-Policy.


> 
> Nucleus vs AP
> ===========
> 
>> To reach 100 Assurance Points, at least one Name of the Assured Member 
>> must 
>> have been assured at least three times
> 
> After the Nucleus event, the assuree is assured with 100 and more Assurance 
> points
> By at least 12 assurers


So would my circle of people who assure each other where we just
randomly give two or three of them 50 points to begin with.

The relevant point is the "to reach" 100 points. And only IF you have
100 points you may award points of your own. (Beside of in a reciprocal
assurance with an assurer.)

Also: You may not assume that everybody assures each other or most of
each other. Especially not with maximum points.


You were speaking of countries where there is very low experience with
the documents. Also there could be a multitude of documents where you
would have the additional issue to decide which of them may be legal,
which of them may be easily bought at the market, which are known to be
fakes. Countries in which people may be used to solve issues regarding
their documents with money. Where nobody really cares about those
documents because everybody knows how easy you can buy them anywhere.
Also where a lot of people just may not have a document. Also where not
only the language would be unknown to some of the people present, but
also the letters may be unusual for some of them and where transcripts
are used to write names, which may vary a lot.

If you assume that most of the assurances will be entered with maximum
points you more or less make the assumption that the checks of the
documents are not done with the required care.

If you assume that the checks are done with appropriate care and only if
people are convinced about the correctness of the documents they enter
any points, you cannot assume that the number of counting assurances
will be that high.






[Which raises the question if documents are really a sensible way to
identify someone, but currently this is the concept of CAcert and of the
AP.]

I do not say, that it could not be interesting to discuss our basic
ideas about assurances. But this would be a completely different topic.
And there are reasons why they are in the AP, because they match OUR
reality in a practical way.

There are also a lot of areas on the world where we could go with the
tools we have.

Or with changing Nucleus, to a version where at least one of the local
persons has one assurance of any kind given from someone else, prior to
the process. TTP, face-to-face, whatever.

Btw: A sensible thing to discuss to extend the reach of our assurer,
which would be a lot cheaper and not depend on single persons would be
to find a way for video-assurances or something in that direction.



Also: If you assume that there will be little to no contact by those
people to the rest of CAcert prior and after the event, would it really
be the best for those people and the area to do all this? Wouldn't it be
more in their interest - or in the interest of other such groups - to be
able to build up their own WoTs? Where there may be no connection to us
at all?

So instead of doing Nucleus, to just provide them with their own
platform to assure with their version of assurances that matches their
requirements and not ours? So that they could adapt what they really
need? Our software, our polices everything is open source.

And if they have setup their own version, one could compare, one could
check what they do and decide if what they do could be integrated in our
WoT. Or if they would be better of with theirs and we better of with our
version and whoever is interested in both, can just do both?

-- 
external email-address: 
katzazi AT gmx.de

PGP: 157D 27C5 CC2C 1039 27B6 72D6 D457 3B37 0DEE BB3B
x509: AF:03:3C:FC:49:9F:F9:5A:14:D0:2B:57:4E:4E:D4:6A:A6:2C:82:0E

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature