A better approach to security

[Nathan Edward Tuggy <nathantuggy AT sti.net>]

On 2010-02-07 15:23, Florian Hannemann wrote:
> Hi,
>
> On 07.02.2010, at 01:15, Lambert Hofstra wrote:
>    
> > > b) one can not assure somebody else using the multiple identities.
> > >
> > >        
> > Correct: you can only assure someone once. At the time of the face-to-face 
> > meeting the assurer and assuree check each others identity papers, and the 
> > assurer can assure (give points to) the assuree.. Any member that gets more 
> > assurances than face-to-face meetings should file a dispute.
> >      
> hm isn't it possible to get some kind of..... lets say "assurance refresh" ?
> I mean you are right you shouldn't be allowed to assure someone with more 
> than one account, but why shouldn't you assure someone again after a while 
> (maybe years)?

It seems to me this would only be safe if assurance points somehow 
expired or depreciated or something -- otherwise it would simply take a 
few years to get any number of people to full Assurer status without 
proper oversight, as a single Assurer could assure each of them every 
two years or whatever until they achieved full points. Perhaps not the 
worst thing in the world, as it's a bit hard to construct a horrible 
attack scenario with this, but not ideal either -- doesn't fit "four 
eyes" very well. And generally speaking, attack scenarios only get worse.

Obviously, if assurance points expired after two years (as I think I've 
heard suggestions for occasionally), this wouldn't be a problem, but 
that would introduce its own set of problems.

Just my two cents.

--
Nathan E Tuggy
Software Professional, Security Enthusiast, CAcert Member

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature