Please Note that this is now a year or two out of date... However it could be reviewed and made up to date, if someone wishes. The current information can be found at Policy.

CAcert policy issues

This is an overview of the issues raised, discussions, decisions on sematics from the CAcert-policy email list (

By definition this overview will not be complete, nor be correct. It is meant as an overview to enable new members to take part of the discussions. to avoid reinventions of the wheel or deja vu from other participants.

Those issues which went into policies (wip/draft) or other documents are not mentioned here.

Current Issues and Topics

forms: CAP & COAP

Organisation Assurance (OA) sub-policy definitions

Sub-policy definition accepted for: Germany, Holland, Austria, Australia, Ireland.Organisation Assurance sub-policy proposals for:


Start by reviewing the Assurance Policy (POLICY).

Assurance Statement

Big issue is to work out what the Assurance system and CAcert's processes over all are for.

Depending on which is chosen, there are different edge effects. For example, the logic on exporting the documents indicates that we have to choose how we put any reliance on these documents.

Big practical issue is that the Assurance Policy (POLICY) defines a Statement of Assurance which is relied upon by the CPS in the Relying Party Statement. This Statement includes sufficient of the classical claims (Name) and the needs of CAcert to establish a chain of reliance (membership) that it covers both approaches.

Semantics of Zero Points (Individual Assurances)

Zero Assurance points; Febr 2008 (Philipp, Ian, Jens, Bernhard) 50 points is name on certificate, 100 points is code signing and Assurance prospect (pass also Challenge).

What is the Semantics of zero points in an assurance? (Febr 2008). Issues:

All these points were on different questions, or did not hit the mark.

Ref: Assurance Points Assurance points policy; (Subject: zero points means what?); May 2008 (Philipp, Sam, Fred, (Ian, Bernhard))

Assurance Point System (Individual Assurances)

Some (unresolved) issues still (Ian):

maximum of assurance points one can get

multiple names (Individual Assurances)

Provide evidence of Assurer status and/or mutual assurances (Individual Assurances)

Discussion about proof that one is an assurer and force mutual assurance (Ian, Bernhard, Sam, Teus, Philipp's, Fred ).

General Comments on Assurance

Trusted Third Party (Individual) Assurance

TTP documents:


(March 2008) Proposals to change TTP procedures: One ID per TTP, no need to sent copy of ID to CAcert, max 50 points per TTP, points can be variable to decision of CAcert TTP manager. Proposal for new TTP policy (Teus, Ian, Sam) coming to Remote Assurance Policy WiP definition. Issues: * TTP is not automated work, so attach fees and/or donations to CAcert (April 2008)

/!\ Concluding (end of March 2008) into the draft TTP (Sam) Remote Assurance Policy proposal (few comments: Sam, Ian, Teus, Philipp, Robert). Needs more comments and review before one can call for vote.

Other Assurance Issues

Assurance email / domain checks

ref: Email and domain check policy, Dec 2007 (Ian, Teus, Jens): ref: Jan 2008: primary email address should not be checked by Assurer.March 2008 (Sam, Ian, Greg, Russ, Bernhard)

Conclusion: Consensus on this issue was not reached. As it remains a critical part of the Assurance Statement, it is left in the policy as an optional part.


time stamping service

Time Stamping service:

cert signatures

Input of more people would be greatly appreciated!

more identity evidence needed?

Resolved Issues

These items have been debated and consensus reached (or not) on the Policy group. Kept for the record only.

Assurance Policy

Brain/PoliciesAndSignificantTechnicalStandards/PolicyDiscussionsOverview (last edited 2014-05-31 23:04:30 by BenediktHeintel)