[Enigmail] Setting trust levels for unknown keys

Wed Apr 29 16:12:42 PDT 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Robert J. Hansen escribió:
> Faramir wrote:
>>   Right, it's indeed a very good question. Leaving aside it is always a
>> personal decision to trust or not a key or CA, CAcert is based on the
>> OpenSource philosophy, and that means their policies and procedures are
>> available to be checked by everybody.
> 
> Their policies and procedures are one thing -- but how do you know that
> the policies and procedures they list are the same as what they actually
> _do_?

  Well... we can't know what any individual assurer is doing right now.
But there is an external auditory in process right now, which was
required by Mozilla to include their root certificate in Mozilla
products. That means they have a lot to lose if something goes wrong,
because we need it included by default in browsers to stop seeing the
ugly "untrusted certificate" warnings... which become even more ugly
after each release of browsers (right now, it's hard to bypass that
warning, on some browsers).

  Also, CAcert Assurers are required to pass a test about how to do
assurances, before gaining assurer status. New assurers had to pass it,
and now, old assurers are required to pass it to retain their assurer
status (there was a period to do the test, now, all assurers who didn't
do it are blocked from assuring people until they pass it).

  For these reasons, I think CAcert has better trained assurers than
Thawte, and also, since CAcert is required to show it is "secure", they
need to be more careful than ever. In other hand, Thawte has a long
tradition of working fine, and they have a big budget to pay to
costumers if something goes wrong. And probably they solve the disputes
using courts of justice, with highly trained lawyers and lengthy
processes. CAcert solves the disputes using internal arbitration, which
is supposed to be faster, and since they don't require lawyers, it's
affordable by anyone.

> There is no substitute for direct on-the-ground knowledge.  If you're
> cool with trusting CAcert without this, that's your call to make: but I
> don't think impressive documentation, by itself, inspires much confidence.

  I forgot to mention I became an assurer on last december, and I am an
active reader of support list and policy list, so I have seen how they
cook their policies, and I can opine on their drafts if I feel I want
to. Of course, I am not an expert on policies, and I have not written
much on that list.

  But still, I don't have any idea about how is an assurer in New York
doing his job... of course, I don't know how a Thawte Notary is doing
his job in anywhere...

>> Of course, maybe you wouldn't trust Thawte too, and I
>> know you have the right to do that.
> 
> Thawte has more to lose by screwing up.  Thawte's a business that has to
> keep customers happy or else they're out of business.  CAcert, by its
> nature as an unpaid volunteer project, can afford to screw it up badly
> and still retain most of its users.

  Yes and no... Thawte has his brand name to protect them from minor
mishaps, and a big wallet to solve problems, they won't be removed from
browsers easily, while CAcert can't say the same.

  I get your point, but I don't share your point of view about Thawte
Notaries being more trust worth than CAcert Assurers, after all, their
are people too, and they have exactly the same chance of being caught
cheating...

  Best Regards
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBCAAGBQJJ+N7qAAoJEMV4f6PvczxAcSsIAJEiLET0tBeqHvJIlBj/l/ga
ZbsyV95/qzOvBDA3xpacEbFLFGYZeZuJSDg6ic7iufvXURGjDs+jabmTAMZz/kfP
MGI+RQ9B+ZazfoqIU/Iz+fSXacJtgQMmRIvqGFxotbYg3bGVpD4oqEpjkgJrk/mJ
NAR6pn7E5WntQEdmzgKe7zfXxb+OuP87QlEPGfuZAhLQY07SzZC2o9voK17fDq9e
CWBVrVpWRFg9jlinPJtaNkVhrS4FVvqoXLtgCpAb40Mm33n/BkMylllBpNrvlj96
pzCUN8R1EwNyzIjRvlBU6+gHIgG3eC9SX+4AK6Sxxk+yu6madNOt9LcM/oiiOHs=
=cC6a
-----END PGP SIGNATURE-----