[atlarge-discuss] Risks and digital certificates (was Re: [atlarge-discuss]Election Preparation)

[espresso@e-scape.net]

Hello again,

My responses are interspersed below. I had written
>><snip>
>>To put it simply, the organizers are those willing to take
>>some degree of personal risk but one doesn't need to take
>>maximum risks to be a real part of a social movement.
>>

and Sotiris responded
>What kind of a "maximum" risk is there in associating with the
>membership and purpose of this organization?!  The DNS is already
>international Judyth...  And as for where it hasn't gotten too yet...
>the US is doing a fine job of ensuring it will someday.
>
>But ooohhhh... yes, many potential "members" of this list may lie
>awake
>worrying about the black helicopters that will come to take them away
>for writing Denise Michel that they didn't like her At-Large
>deception(s)!  And because of that we should let just everyone and his
>mother's uncle (even if it's an ape) become members with a right to
>vote
>and affect our political association?!!?!?!?  Hmm, yes, I see your
>point
>now!  Couldn't be more clear, as clear as an unmuddied lake to be
>sure...

Frankly, I'm not convinced that sneering at me invalidates
my point.

You and I evidently envision two different kinds of
organizations.

You don't think all Internet users have the right to be part
of your "Internet users' constituency", and don't much care
about people in countries where membership in *any* kind of
foreign organization can bring social and political problems.

I don't see how one can form a constituency of Internet users
worthy of the name if one doesn't permit the participation of
people in less developed or more repressive countries -- the
very ones whose poverty and/or lack of freedom the "Information
Society" is being relied upon to alleviate.

>>Anonymity among political equals is a no-no in true
>>democracy, Judyth.
>
>That rather depends on what you mean. In my opinion --
>and I'm certainly not alone in this -- you cannot have
>a true political democracy without a secret ballot.
>Oddly enough, in places where everyone casts their
>ballot while watched by prying eyes, voters tend to
>get beaten up or even killed when they vote for the
>"wrong" person.
>
>Nobody is pushing for eyes on the ballots here, Judyth.

Let me clarify this for you. There have been some real
concerns expressed - by others besides myself - about
the exposure of members' names and e-mail addresses
to public view. It has been implied, if not stated
outright, that voting and/or nominations should be
done publicly rather than privately. I am not saying
that you personally have demanded a non-secret ballot,
but I have had concerns about any balloting process
where any one individual could see who voted which way
... which is the case within the Polling Booth, and
which would be the case if the same person who received
e-mail ballots with personally identifying information
were to count and tabulate the votes.

>>Voters' lists, on the other hand, are usually not secret.
>>[...] More personal
>>privacy and security, at the cost of no longer knowing
>>which of your neighbours won't bother to vote or how
>>many votes should be turned in at your polling station.
>>It's a trade-off most people here find acceptable, though
>>I'm not entirely convinced it's the only way to go.
>
>Here is something in which I actually agree with you.  It's not the
>way to go, and the trade-off is unacceptable.  For those who think
>it is, it bespeaks of the lowest state(s) of apathy and neglect,
>both of which reflect negatively in practice.  Lose, lose.

Agreed. Democracy depends on a well-informed and concerned
citizenry; instead, we've grown accustomed to the erosion
of both public information and citizen participation.

>>[...]>>All that was needed was to
>>be of legal voting age, a citizen, and a legal resident
>>of the riding.
>>
>"All"?  That's quite a bit more than our organization's requirements,
>wouldn't you say?

Yes, indeed, and I think that needs to be remedied ASAP by
means of a proper Constitution and bylaws, a better system
of member registration, etc. But those things will not
happen until a new Panel has been elected, which means that
unless you want to start a different group from scratch
with self-selected "directors" to prepare that framework,
you will have to accept a less-than-ideal process to
allow the current membership to elect its own Interim Panel
to do the job.

>>Sotiris, I've never disagreed with you and you can see in
>>this list's own archives that I don't think it's real
>>proof of anything much. In fact, I believe I supported
>>your idea of a WG to study better means of confirming
>>identity, though I did suggest that some provision should
>>be made for *public* use of a pseudonym (say, on the list
>>or forum) by people who might live in countries where
>>belonging to a foreign organization is illegal or where
>>having one's true identity exposed on the Web is likely
>>to cause unpleasant repercussions.
>>
>As I said, the US is working on solving that problem long term by
>bringing democratic thoughts and ideals to the few remaining
>repressive
>societies on the planet.  Until then, we cannot be worried about the
>exception and forego the institution of a rule.  Exceptions are not
>antecedent, they are consequent considerations and it's better to
>cross
>each bridge when we come to it.

Not everyone shares your confidence that bombardment and
installation of puppet regimes is the best way to bring
democracy to undemocratic nations. (I can't think of a
single country where that worked in the past.)

Meanwhile, you and I disagree about whether it's okay to
just ignore the majority of the world's population until
it adopts the Pax Americana. That's why I'm leaving you
and those who agree with you to organize whatever they
think best.

>>Okay, Sotiris, I've just spent 1-1/2 continuous hours at that
>>site...
>>
>Wow!   Do you read as slow as you walk, Judyth?

Nope, I read rather more quickly than most, and with
excellent comprehension. It's just unfortunate that the
site did not signal early in the process that it was
set up to deal with only specific browsers, and that
I was using a less-than-ideal dial-up connection rather
then highspeed broadband.

>>which ended with "Lost track of sequence...please
>>start again". It's a nice, clean design with easy-to-use forms,
>>and (most unusual!) all the list-boxes work properly with a
>>Mac. However, after going through the whole multi-page process
>>without much difficulty, I was stymied at the end because I
>>was using neither MSIE nor Netscape when I started ... or
>>perhaps it just doesn't like iCab. However, switching to
>>Netscape (4.6) didn't get me a certificate either, which
>>leads me to wonder whether other people mightn't have similar
>>problems, especially working with dial-up rather than
>>highspeed broadband access.
>>
>I'm surprised to hear this.  Millions of people have gone before you
>and
>succeeded in the (as you describe it) thoroughly engaging task!  Are
>you
>sure you didn't get a cert? I suggest you go back into your account
>there and look up the status of any requested certs and see what
>happens.  The certificate is downloaded from the site, it's not sent
>to
>you via email.

Being quite a good reader (which is, after all, a prerequisite
for my profession), I can assure you I did not expect the
certificate to be e-mailed and correctly read the error
messages I received, including the one I got (after doing
everything over again with Netscape) that said the process
had failed and I would have to start over again. I haven't
yet had a chance to do this.

>>Secondly, though I agree that the Thawte certificate might
>>be better than nothing at all (assuming it works better for
>>everyone else than it did for me), absolutely nothing in
>>the process would have prevented me from obtaining a
>>certificate using somebody else's identity. As far as I
>>can tell, I could use anyone's name and social insurance
>>(or passport, etc.) number with one of my own e-mail addresses
>>and receive a certificate -- in fact, it seems I'd have to if
>>I wanted to provide a certificate for messages emanating
>>from another e-mail account.
>>
>Which is why I said it "would be a pretty good place to start",
>because
>we could then be in a position to avail ourselves of the Web of Trust
>which Thawte has built up over the years, and thereby get identities
>verified much better than we are now (to put it mildly)..  Surely, the
>little bt of extra effort (and no, or very minimal, expense) should be
>worth the acquisition of a personal digital certificate?

My point was that the free certificates you were advocating
as a means of authenticating identity don't actually do it:
in practice, it's only slightly more laborious than obtaining
another e-mail address and registering for a second IAL
membership. It's up to the group to decide whether it is
appropriate to demand that all members obtain these
certificates anyway: I just warned that the certificates
only guarantee that the person using one is the same one
who registered for it ... or somebody who has access to
their e-mail account and passwords.

>>Their other form of identification certificate, which requires
>>verification of identity by a notary, would be rather more
>>confidence-inspiring but in practice, walking into a notary's
>>office with legitimate-looking documents doesn't mean the
>>person presenting those documents is the right person, either.
>>That's why we hear so much these days about including
>>fingerprints, retinal scans, etc. where identification is
>>crucial!
>>
>So because it's possible there may be fraud, even if we were to go
>with
>the Web of Trust, you'd rather leave it wide open for fraud to take
>place at a whim...?   You can't be serious.  Surely.  That is no
>argument, my dear woman.

If you could stop assuming I'm an idiot for the moment,
you will see that I've not recommended leaving anything wide
open to fruad -- just signalled a flaw in the assumption
that this particular type of certificate is any kind of
guarantee. The "Web of Trust" process may indeed provide
a better mechanism - always assuming the people already
trusted within the Web are trustworthy. So, for that
matter, would asking each prospective member to download
the registration form, have it notarized, and then return
the notarized original by mail. That nothing provides a
100% fraud-proof ID does not invalidate the need for any
organization to take reasonable precautions.

>snip>
>>I'm not disputing your (or anyone's) rights to want more
>>certainty in the process. The problem, Sotiris, is what one can
>>do about it now.
>>
>We do what we can, and nobody has presented anything better (if best
>efforts are what we REALLY want), that the Thawte Web of Trust.
<snip>

Does that not assume that there will be an already-trusted
person who can easily authenticate the identity of each
member? I'm not sure that would be the case for everyone,
and I haven't seen any indication from the other members on
the list that they agree this must be implemented before
the elections already scheduled.

>>The problem I see is that, by your own logic, anyone registered
>>as a member of this group is automatically suspect unless they
>>are using a digital certificate, which means almost nobody is
>>eligible to say whether or not the Thawte certificate should
>>be required for people to cast their ballots in this election,
>>and no result from any election conducted by this group could
>>possibly be legitimate. Where does that leave you?
>>
>Waiting for the rest to sign up, I suppose.  I don't see why anyone
>who
>professes to be concerned with Internet governance issues would have a
>problem with making a small effort, one which will only help you to
>learn more about the Internet and to meet a few more people who are
>involved in something globally digital like the Web of Trust?  What
>could be more relevant, I wonder?  OTOH, if you had a valid digital
>certificate from another certified issuer, you wouldn't have to go to
>Thawte... Stephen Waters didn't.  But, Thawte and its Web of Trust are
>free, and they're better than anything anone else has proposed to date.

I also had a look at GlobalSign's site, which seems to provide
a *little* more security for its certificates but unfortunately
doesn't issue them for residents of all countries. There may
be yet other companies offering various types of certificates,
though the others I saw only do companies, not individuals.

No doubt the group will come to its own conclusions about what
suits it best.

>><snip>
>>Sotiris, as I said, I'm withdrawing from this project so it's
>>not me you need to convince.
>>
>I'm sure somebody will cop up to replace you Judyth, it's a big
>Internet, so long.
>
>Be Well,
>
>Sotiris Sotiropoulos

You, too, and best wishes to all,

Judyth

##########################################################
Judyth Mermelstein     "cogito ergo lego ergo cogito..."
Montreal, QC           <espresso@e-scape.net>
##########################################################
"A word to the wise is sufficient. For others, use more."
"Un mot suffit aux sages; pour les autres, il en faut plus."
##########################################################



---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de