Points
- CCA "contracting out" question
Policy Group's Year of Conquest!
The big target of the Policy Group was achieved when Security Policy went back to DRAFT around early June 2010.
We now have a complete set of policies for audit !
The Audit is driven by the Criteria (called DRC or David Ross Criteria) and this sets an index for audit called Configuration Control Specification (CCS). This went to draft in April 2010. According to DRC-A.1, the whole audit set is:
- Configuration Control Specification (CCS)
- Certification Practice Statement (CPS) which in our case includes Certificate Policy (CP).
- Privacy Policy (PP)
- Security Policy (SP)
- Declarations of Risks, Liabilities and Obligations (in CAcert Community Agreement or CCA)
- Control of Software, Hardware and Logs (in CCS and Security Policy).
The project took 5 years, starting from Christian Barmala's efforts in 2005 to write a CPS, up to the point where Security Policy went to DRAFT. Approximately 13 documents in 100 pages, approved by 70 contributors casting 350 votes & decisions. We hereby present the hall of fame for CAcert's 5 years of Policy Conquest:
(this wikiscrape of the votes and resolutions does not for example include the authorship of the policies.)
The Security Policy Saga
Security Policy was vetoed by the Board on m20100327.2, as it can under our rules PoP 4.6 "During the period of DRAFT, CAcert Inc. retains a veto over policies that effect the running of CAcert Inc." This was triggered by a clause in the SP that said that Members of the Committee of CAcert Inc. were on the list of those who should have a background check. Once the veto was initiated, the topic was widely debated in the Board's communications.
Once the vote to veto closed, we respond by taking the Committee Members off the list. The list was put in around a year before, and at the time the committee was included because many (including the committee) had been worried about conflicts of interest amongst Committee Members for a long time. However, when it came to 2010, the concerns had been overtaken by events; the new Associations Act 2009 of NSW requires conflict of interest notifications to the secretary. This is thought to be somewhat better than either nothing, or an ABC which is probably too stringent for the Committee Members. As there were no real objection to taking it out, this was done.
Several other detailed changes were made, and a general cleaning up. When we finally brought the newly reviewed SP to the vote, we recorded unanimous consensus with 20 Ayes, our best up to that date.
Significant Events
- The new CPS went to DRAFT (as reported last year). The old CPS was replaced on the website. Our thanks to Christian Barmala for a great effort on that earlier document.
- International Domain Names were permitted according to a registry approach.
- Our Policy on Junior Assurers / Members (affectionately known as PoJAM) was also put to DRAFT. This was fast work, being handled in a matter of 2-3 months. MiniTOPs were held in Germany by the Assurance Team to get this one done.
An Editor's Guide to Good Policy was written. It is called EggPol because it is our best defence against getting egg on our face...
- A good debate on how to distribute the roots resulted in a new Root Distribution License.
- Which then sparked negotiations with the Board resulting in all our policies under the Attribution-Share-Alike Licence from Creative Commons. All of our volunteer writings destined for policy track are automatically transferred fully to CAcert Inc, to be licensed to the community, following PoP 6.2.
Future Work - Stuff we know we did next year
TTP-Assist. Assurance got a brand new subsidiary policy (under Assurance Policy) to handle TTP work. This was again led by the Assurance Team, and reworks the classical TTP process. In the past, TTPs sent their documents to a TTP-Admin, who was generally a single person appointed by the Board. Now, under TTP-Assisted Assurance Policy, the TTPs work with Senior Assurers, one each for each TTP, and the entire process is distributed. Additionally, the process includes a top-up concept to get an additional 35 points to the Member, thus helping her to become an Assurer.
Appeals to Arbitration. The Board filed to appeal against an Arbitration, which immediately ran into DRP's rule that the Board hears any Appeal. We have for a long time been of agreement that this was a bad situation, but we did not have clear consensus on what to replace it with. After some debate, we voted the following text into DRP 3.4:
If the Review Arbitrator rules the case be re-opened, then the Review Arbitrator refers the case to an Appeal Panel of 3. The Appeal Panel is led by a Senior Arbitrator, and is formed according to procedures established by the DRO from time to time. The Appeal Panel hears the case and delivers a final and binding Ruling.
Future Work - Stuff we'll predict we'll do next year
There are several bodies of work to be done:
- Exceptions: the other ways of assurance.
- the Nucleus Assurance Policy is waiting for attention.
- Organisation Assurance needs a big overhaul.
- Several policies need to go to POLICY.
- TVerify points get nullified in November, which might spark a more concerted effort at replacement.
- At a technical level, we want to move the policies out of the main website into another controlled place. Getting patches through the software assessment department is too slow, and we already have established our own strong governance here.