A better approach to security

[Johan Vromans <jvromans AT squirrel.nl>]

"Jeremy J. hall" <jeremy AT mail4geeks.com> writes:

> Point taken regarding the obviousness being tied to local culture.
> As for all 3 of those names being potentially the same person, if I
> can only produce a document showing Jeremy, then Jeremiah and Jerry
> should not be acceptable for CAcert.

If this rule were applied strictly, I estimate that 80% of the
existing assuranes in our country must be declared void at once.

> You're exactly right, and CAcert can not distinguish (outside of
> e-mail address as Pete said) between people with the same name. It
> is a hole that CAcert can not fill without a lot more data
> collection,

I think most contries have a single, unique identification item. E.g.
SSN (USA), and BSN (Netherlands). I have, however, been told that
storing the SSN is a security risk since it can be used for
authentication on itself. Our BSN is just an identifying number
without additional value.

> All I'm countering with is saying if we allow "non official" names
> based on a judgment call of the assurer, it makes it that will only
> serve to widen that hole.

Yes. My point is to emphasize that an assured certificate still has
certain limitations and that we have to make clear, first of all to
ourselves, that these limitations exist.

> As you pointed out Thawte does a decent job of attempting to fill
> that hole, but at the consequence that a person has to leave a copy
> of their ID with their notary. This exposes the assured to more
> identity theft risk,

I think you hint at the SSN issue I mentioned above. Here, a photocopy
of a passport cannot be used for anything serious. 

Which, again, points towards (potential) different guidelines per
jurisdictional area.

-- Johan