Eddy Nigg wrote:
On 11/12/2008 05:21 PM, Ian G:
No it's not. You just need the person, not their identity.
LOL, you are funny...and how exactly do you get the person if you don't
know who it is that you need? This is what the (verified real) identity
details in certificates are here for...
Welllll... the system of courts isn't quite "funny" although there are
some non-understandable aspects, and lots of myths about it. People
often believe crazy things about how the courts act, like they are fair
and just and they will protect you against bad people.
In order to get someone to court, it generally depends on the
jurisdiction you are in. In the english common law tradition, papers
have to be served to the person. So you have to find the person, some
way or other. (Having the name is useful, but what is more useful is
knowing how to find the person, such as the physical address.) In other
jurisdictions, it works other ways. In modern day cases, judges will
often accept you emailing the papers to the person, if the email address
is the only one you know, and this will work as long as your case is
good. In civil code jurisdictions (Europe) the process is different,
and I don't really understand it.
(Bear in mind normal IANAL caveats :)
What is clear is that the name is not really the essence of the process,
it is just one part. So if we are claiming the full essence of getting
people to court, we need to do other things; if we are just doing the
Name, we should avoid talking about the courts purpose unless we can
point to the other things as well, and show how it fits in.
If you need to get someone in court, they either come willingly, in
which case nothing is needed, or you need to find the person.
You still need to know who it is that you want to get to court...
In US court, you can file against John Doe, and the court can then help
you find the body (by means of a real name or by other means). In other
places they insist on at least a name of some form, although it might
not be the real name. "Known aliases" and "a.k.a." for example.
courts will these days accept an email
address if the circumstances are appropriate (e.g., that's how he
closest you got when doing business).
Most likely not. I can be [EMAIL PROTECTED] any time I want.
You can, sure. But would you? Would you dare to masquerade as another
person, and do some harm? Let's say you do that, and then the summons
arrives to your email address. You see the summons. What are you going
to do?
Do you dare defy the court and not present yourself? If you do that,
then you are toast. If they (a claimant and a real bill gates) come
looking for you and find you, then not only have you committed a species
of deception, you've tried to ignore the courts. Not only is your case
compromised, but you've probably committed something against the court.
You will likely lose that case. "Default judgment" or worse.
Instead, because you are a wiser person than that, you will simply
appear before the court, and say, "It is I, using that nym, but my real
name is Bob Smith." And the court will proceed to hear the case. At
least in english common law, it is OK to use any name you like, as long
as it isn't for fraudulent purposes.
Because if you claim that it is needed to resolve disputes, then this
may be deceptive. (At the least, you should figure out why it is needed
and use that reason.)
What's new here?
If a claim is made by CAs that the Name is needed to pursue someone in
the courts, this is more or less deceptive. It is like a claim that
anti-wrinkle cream will make you younger. To the extent that
anti-wrinkle cream makes you feel younger, that's kinda-ok because
fashion is like that, we don't as a society apply high standards in that
market. But it is not acceptable to build any regulated or mandated
product on such an unfounded claim, and it is not acceptable in a
security market.
If we accept that (and we are in a security market, regulated by audits
and/or vendors) then we should stop making that claim.
Unfortunately, this then creates a big hole in the process: what was
the Name there for? If it hasn't got a serious purpose, then it is a
fashion accessory. If it is a fashion accessory then we don't need
stringent controls. Fashion is choice, not regulation. Or, if it has
got a serious purpose, what is that? Then, we can look at how to
regulate that.
(One thing should be clear: if a Name is in the cert, the CA is making
a claim about that name. If it issues you a cert with "Bill Gates", we
might validly ask what then is the claim?)
According to my preference I may freely decide in order to give
somebody access to certain resources which are truly under my control,
I may require a verified identity too. It's about the risk assessment
of each of us, being it private or corporate.
OK, I buy that. Would you sign to that as a principle?
I think so, yes. It's applied already today in some forms. It can be
done better...
OK. So the principle is that everyone may make their own risk
assessments, whether private or corporate. We may freely decide to
allocate our resources and make our decisions.
This would mean that the vendor deals with the CAs it chooses, and the
CAs are free to choose their customers. It would mean that an end-user
can deal with the certs that she chooses. If she likes the safety of
authority-verified certs, then well and good. If she likes the
living-dangerously feeling of self-signed stuff, then also well and good.
It would also mean that a vendor was free to experiment and choose
different security models c.f. Gerv's much lamented yellow bar and
Jonathon's 4-click process.
Perhaps that could be coded up into Mozo's principles or policy?
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
