• Brain
• Policy
• Tasks

Intro

This is the work page and index for work on new and DRAFT policies. It is part of the overall Policy area.

Organisation of Documents

Approved policies are at the main website. This makes it easier for the community and the policy writer to easily see what rules. See Editor's Guide to Good Policies for more info on where the documents are, and Controlled Document List for what documents are on the policy track. Other documents are typically labelled something else, such as Practice or Manual, to distinguish from PoP documents. Most of these are created by a parent policy, such as the AssuranceHandbook2 and the SecurityManual.

Priorities for Policy Group

1. Review and align CCA with the new RDL-initiated approach for USE, RELY, OFFER.

   • See RDL action page

2. Review and confirm to POLICY:

   • CPS

   • Security Policy

3. Organisation Assurance
   • confirm more subsidiary policies to DRAFT

   • review and document according to audit concerns PolicyDrafts/OrganisationAssurance.

4. Assurance Policy subsidiary policies:

   • Nucleus Assurance Party is a wip that we want to develop further.

   • Legacy Points Policy -- an anticipated policy to clarify the status of old pre-AP points.

As well as pure policy work, there are also process tasks:

1. Assist with rolling out the work: RDL, PoJAM, TTP

Policies in Effect but on the Work List

These are policies in DRAFT status, according to PoP. This means that they are in effect for the community, and policy group continues to refine the policy before moving them to POLICY. If there are no adverse comments, the documents generally go from DRAFT to POLICY status after a period of time, which is 1 year according to PoP.

CPS Certification Practice Statement (COD6) - Newly into DRAFT, most welcome. (also unusually transferred to website early so as to replace old policy.htm)

SP Security Policy is the document that controls all security processes.

• E.g., hardware, software, logging and root keys.

• Security Manual is now the "practices manual" that remains under the detailed control of the team leaders, and documents the detail of how they meet the Policy.

• SM authorises many Procedures which can be found by searching for Cetegory / Procedures (see the SM).

RDL or Root Distribution License from Mark is now in DRAFT ! There are some concerns about how the modification feature can be abused and whether we want to tighten that up. We also need a FAQ and a review of CCA. RDL action page.

CCA needs to be tuned up to cope with RDL and other minor changes.

PP Privacy Policy (COD5) is POLICY, is the statement of CAcert how CAcert handles provided information, how it deals with web information, etc. As a policy, it was approved in principle by the CAcert Inc. Association Board before the PoP regime came into being. It is therefore in a special status which only approximates the current regime, and can be considered to be grandfathered in place.

• We may now need to start a project to update the privacy regime.

• Suggested changes: PolicyDrafts/PrivacyPolicy LOST?

CCS Configuration Control Specification (COD2) DRAFT - specifies what documents and processes are "controlled" for audit criteria purposes.

• Also comes with the Controlled Document List (CDL) listing all approved policies (POLICY and DRAFT).

OAP http://www.cacert.org/policy/OrganisationAssurancePolicy.php is in full POLICY status.

• The OAP is now up for review, according to PolicyDrafts/OrganisationAssurance, as the OA area has exposed many weaknesses.

• This work will possibly have to wait for appointment of an Organisation Assurance Officer.

PoJAM: A subpol for Juniors:

• PoJAM is now in DRAFT!

• PolicyDrafts/PolicyOnJuniorAssurersMembers2 was version 2, PolicyDrafts/PolicyOnJuniorAssurersMembers was version 1.

TTP-Assist: Using TTPs to assist our Senior Assurers to complete their assurances remotely:

• TTP-assisted Assurance Policy is now in DRAFT.

• TTP Assurance Policy collects some old notes. Should deprecate and/or rewrite and/or rename.

• Remote Assurance Policy wip for some variation, now overtaken by TTP-Assist.

• Also see Remote Verification Policy wip for another variation, now overtaken by TTP-Assist.

Organisation Assurance Sub-Policies in DRAFT

Organisation Assurance Policy authorises the creation of sub-policies to describe different circumstances. The following are in DRAFT:

Europe

Sub Policy Organisation Europe - COD11EU covers European-style Registries.

• Note that this overlaps with some of the below, and they remain in force? Or are replaced?.
• OAP specifically permits overlap.

• DRAFT p20080920.

Germany

Sub Policy Organisation Germany - COD11DE states the information for Organisation Assurances for Germany. This policy draft has been voted for draft on 18th of September 2007 on the TOP meeting and 22nd of October 2007 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form Germany) is available in PDF and Open Office format.

Australia

Sub Policy Organisation Australia - COD11AU states the information for Organisation Assurances for Australia. This policy draft has been voted for draft on 2nd of April 2008 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form Australia) is available in PDF and Open Office format.

Ireland

Sub Policy Organisation Ireland - COD11EI states the information for Organisation Assurances for Australia. This policy draft has been voted for draft on 29nd of April 2008 on Policy Email list to DRAFT status.

Following may have been replaced by Europe subsidiary policy.

Holland

Sub Policy Organisation Holland - COD11NL states the information for Organisation Assurances for the Netherlands. This policy draft has been voted for draft on 18th of September 2007 on the TOP meeting and 22nd of October 2007 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form NL) is available in PDF and Open Office format.

Austria

Sub Policy Organisation Austria - COD11AT states the information for Organisation Assurances for Austria. This policy draft has been voted for draft on 8th of March 2008 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form Austria) is available in PDF and Open Office format.

• The Organisation Application (general English COAP form, a template example) is available in PDF.

WIP - Work in Progress - Policies

All of these are 'open for comments' and need work. They are all intended for POLICY track.

• subsidiary policies for Organisation Assurance:

  . Norway

  has been requested.

  . United Kingdom

  has been requested.

  . Swiss

  has been requested. Some old notes may be in PolicyDrafts/SwissOASubPol.

  . France

  has been requested.

  . USA

  has been requested.

• Subsidiary Policies or exceptions underAP:

• The old programmes are frozen because they lack the subsidiary policy under AP#6. Decision of board m20090912.1 with effect 20090914.

• Tverify: We need a Third Party CA subpol.

  • Guillaume's start.

  • Tverify or the Thawte "notary" programme is mentioned in this FAQ: ThawteNotary.

  • Searches on Tverify and Thawte turn up some comments.
  • Note that it might be written to cope with other CAs or RAs.

  • old Tverify FAQ.

• Super-Assurance program - Deals with how and when people should be issued 150 points. This may be revived under a subsidiary policy under AP one day.

  • A replacement is under deployment named: Nucleus (WIP)

• Code-signing Assurance Policy is being worked on. However, the CPS says that only Assurers can have Code-signing, so at least it has a workaround while the subsidiary policy is worked on.

Miscellaneous

referenced (policy) documents

(this needs some work...)

• Principles of the Community

  • As a Member of the CAcert Community one is further obliged to work within the spirit of the Principles of the Community.
  • This document is incorporated by referenced in CCA, so it takes on a sense of an important but not fiercely controlled document.
• COD2 Document Policy
  • is referenced in CCA, needs to be dropped.

Informal Documents / JADs

These may be elevated to wip policies sometime. Right now, they are JADs -- Just A Documents -- and lack a number in COD system under CDL.

(To be controlled and formal they would need to tie back to documents in CDL, and likely accepted by the Policy Group as work to be done.)

Not on the Policy Group task list...

• Definition of a Senior Assurer:

  • This question is now stabilised in the Assurance Handbook's definition.

  • Senior Assurer - an old trial definition and process for designating Assurers who are a more active part of the community, and more experienced.

  • Additional documents, with stricter/lesser Senior Assurer definitions, that contributed to our current definition can be found in the Minutes of the Assurance MiniTOP - Munich 20090517 and MiniTOP Assurance - Brussels 20100206.

• Co-Auditor - a definition and process for Assurers to help in the "Audit over Assurance" program to collect the evidence for an Auditor.

• policy on funding - rules and guidelines for managing funds, donations, expenses. Is this a policy, or an executive document? No, it is an Exec practice for the Board to deal with. Not really policy.

• Policy on Foundations This is really an Executive / Board practices document on "How to create and structure a supporting Foundation."

• PolicyDrafts/DigitalSigning and DigitalSignature - Notes on Design and Policy (ideas) to make Digital Signing work

  • This is unlikely to go Policy track.

  • Also see CARS.

• Governance is PhilippDunkel's exercise explaining the Governance lay out of the Community. It is currently more descriptive. If it were to be a policy, it might end up being a Constitution.

These above were all at one time considered questions for policy group.

Translations

Once a policy has reached a certain stability, the Community may desire to translate it. However note that the English version remains the policy. It is undefined how these translations are delivered, and Members will need to rely on the English version.

• CCA Translations

• PoJAM Translations

None of these are as yet identified and started on the policy track.

• CategoryAudit

• CategoryPolicy