A better approach to security

[Lambert Hofstra <lamberthofstra AT gmail.com>]

Hi Hans,

Hans Witvliet wrote, On 07/02/2010 00:12:

On Sat, 2010-02-06 at 14:54 -0500, John W. Moore III wrote:
  

Dominik George wrote:

    

My general question is: Shouldn't there be a limit as to how many accounts a 
single person can have? Of course this is hard to handle, but what we 
experience here rather reselmbles vandalism and makes CAcert work inefficient 
(it keeps at least one case manager and one arbitrator plus several assurers 
working, while there are far too few arbitrators).
      

Actually, the crux of the Question should be "How many Accounts should a
single individual _control_?"  Imagine the scenario where a single
entity controlled 4 Accounts.  What, if any, 'check' exists to prevent
this individual from using all the Accounts to assure each other thereby
allowing self-assurance up to the 100pt Assurer level on all 4?

    

I don't think that the number of accounts should matter.
  

There seems to be a misunderstanding regarding accounts and identities. The account is NOT an identity. It is an account that links things like a certificate to a person, to the real identity of a CAcert member. It is not the account that assures someone else, it is the CAcert member!

However, it should perhaps stated more clearly that if one holds more
then one account:
a) one can not assure them selves (by means of the oher identity)
  

Correct, this is a clear violation: you cannot meet yourself in a face-to-face meeting and assure yourself!

b) one can not assure somebody else using the multiple identities.
  

Correct: you can only assure someone once. At the time of the face-to-face meeting the assurer and assuree check each others identity papers, and the assurer can assure (give points to) the assuree.. Any member that gets more assurances than face-to-face meetings should file a dispute.

Afaics that should be obvious
  

Are you saying it currently is obvious, or that it is not, but should be?


Lambert