AR.20080902.A1 CPS issues: 2 bugs

One side issue relating to the earlier post: in order to release funds for the critical systems work, we will need to sort out the CPS quickly.  There are two blocking questions that need to be fixed, so I’ll list them here for all to think about:

CPS Bug #1: Assurance is now on a good footing with the DRAFT Assurance Policy, and we can state with some confidence that CAcert does a good job at identifying people within the community.

But, there is a bug:  the certificates with names do not always use Assured Names.  Specifically, in the Organisations, there is no compelling reason to use Assurance information or anything else to name people.  So, Members are faced with a “name” that is either strongly Assured, or worthless, or somewhere arbitrarily in-between.

How are you to tell the difference?  Perhaps by further looking in the certificate, but forcing people to investigate every certificate to figure out detailed issues makes a mockery of the process, and of the Assurers.

Let’s put it to you:  Should the Name in the certificate (specifically, the CommonName or CN field as shown by software) be

  1. always Assured?
  2. always strong through some other mechanism, either Assurance or elsewise?
  3. sometimes be Assured, sometimes unknown, like now?
  4. be entirely variable at the discretion of the person?

All of these choices have merits.  For example, the last one looks odd, but is maybe OK, if we recall that all certificates will identify the Member through the serial number.

What do you think?  Over on the policy group, a choice will have to be made somehow, so dive on over there and help.

CPS Bug #2:  The domains and email addresses placed in certificates are only ping-tested once, when added.  Over time, various changes and problems can occur, such as transfer, expiry, loss, etc, so this is not good.  Something has to be improved.  The question is, what?  There are these possibilities that I have seen so far:

  • frequent or regular ping checks on email addresses,
  • automatic revocations on domain expiry or transfer,
  • a change made to a website through HTML text or headers, etc, to show control,
  • a change made to DNS records to show control,
  • a change made to Registry records to show ownership or delegation of control,
  • a statement of ownership or control made to CAcert in the online system,
  • or?

Probably, we need some combination of 2 or more of the above, because some of them will be hard for people to do.  As before, check in on the policy group to express your opinion.

Leave a Reply