A better approach to security

[Lambert Hofstra <lamberthofstra AT gmail.com>]

Hi Mario,

this is a sort of compromise: we want it (it's in the policy) but the
system does not yet support it. So the only way to provide multiple
names is by allowing multiple accounts. We do NOT allow fake names as
owner of an account: every name must be verified and in one way or
another written in an official ID. As a result we cannot have to many
variations in names, what is allowed is written in the "Assurance
Policy" (leading), the "Assurance Handbook", and the "Practice on
Names". The last two are introduced to help:  we know that names are not
always clear from ID documents, and even ID documents sometimes
contradics (for instance difference between Drivers License and
Passport, or between different passports when the member has multiple
nationalities).

Important: it is not required to have multiple accounts to support
multiple email addresses: you can link many email adresses to a single
account without a problem, and you can generate email certificates for
all these email addresses from a single CAcert account.


Once our system can support multiple names linked to a single account
(think of maiden name vs. married name, abbreviations of first name
instead of the full name, I can think of other situations where people
use more than one name in normal life), we (the policy group) might want
to reconsider the current policies.
One could think of for instance allowing a member to add a nickname in
your cert (like peter.pan AT neverland.org). However, CAcert somehow needs
to verify the real identity of the account owner, so the account should
at least have an official name of the owner. Official as in: written in
an official ID document.

Lambert

Mario Lipinski wrote, On 07/02/2010 20:41:
> Am 07.02.2010 17:39, schrieb Lambert Hofstra:
>> Mario Lipinski wrote, On 07/02/2010 16:28:
>>> currently we have a gap between the policies and the system. AP allows
>>> multiple names linked to one account. But the system does only allow
>>> one name for the account. So the only way to handle more than one name
>>> is more than one account.
>>>
>> I'm sorry, can you explain?
>> Are you talking about one person with multiple official government
>> issued photo id's, each with a different name? I'd say that is
>> suspecious ;-)
>
> AP §2.2 Multiple Names and variations
>
> "In order to handle the contradictions in the above general standard,
> _a Member may record multiple Names or multiple variations of a Name
> in her CAcert online Account_. Examples of variations include married
> names, variations of initials of first or middle names, abbreviations
> of a first name, different language or country variations, and
> transliterations of characters in a name."
>
> Since the system can not handle this the current solution for this I
> know about is to have multiple accounts.
>
> So why does AP include this if there is no need at all for this?
>