Skip to main content

Ok, so this was lame.

I just attended my first CACert assurance party thing. It started off with a 2-hour talk that gave information that could be easily extracted (with a bit of patience for bad english grammar and spelling) from their wiki. Two things that stuck out to me (like, indeed, sore thumbs):

  • PGP key signatures are useless, because a signature on a key doesn’t tell you anything about the standards that were used to get the key owner’s identity to the signing party.
  • CACert are trying to get a WebTrust-compatible audit. From what I heard at the talk, instead of being audited for the first time, they worked with the auditors to get into auditable shape (with the same auditor) next year. That sounded kinda familiar to me…

Anyway, after the talk ended (which was cut short at 2:00h by a person who graciously stepped in as a moderator), the assurance thing itself was kind of anticlimactic: There were ~20 people present; everyone was told to get 10 forms, fill them out, and get assured by (and assure themselves) three people who are Assurers, then repeat the process with seven others. Nobody knew who of the attendees were assurers. I don’t think the guy who held the talk understood what I was trying to get at when I suggested that this was kinda suboptimal. Frustrated at the lack of a response when I asked him if he himself was an assurer, I left.

I feel like I just wasted (and not in a good way) two hours. I applaud cacert.org’s server and client certification services (and I’ll continue to use them), but I’ll gladly forfeit the 100 assurance points that state my ability to sit through 2 hours of boredom and to defy bad organization at an assurance meeting. Give me a useless (but non-boring) PGP key-signing party in a cafe or a pub any day.