Brain/Study/COrbitCA - CAcert Wiki

NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Brain Study - To Brain Study - Overview Projects - To Technology Laboratory COrbitCA - To comma Workbench COrbitCA

COrbitCA - CAcert.org Account Holders CCA Completing Campaign - Brain Background

COrbitCA, short for CAcert.org Account Holders CCA Completing Campaign
In order to get all CAcert.org Account Holders under CCA for Audit purpose, Technology will develop / patch necessary

Project Flow

Bullets Description

Preamble

There are two major changes that we need to get out to the world: The NRP-DaL to "everyone" and the CCA to our members.

This list of changes is now at version 7. Much stuff is done, see bottom. Audit-blocking summary:

1.	Root page needs reference to NRP-DaL
2.	Certs request needs "I agree" text
3.	old psuedo-contract text to go
4.	Members to be notified of CCA

The above are required by audit. (See AuditToDo for others.) Now read on for more explanation.

NRP-DaL

The use of the Non-Related Persons -- Disclaimer and Licence to reach out to the people we can't reach to ... is "novel". That means, we are in an area where the courts don't necessarily agree with our approach, but there is custom in the industry, in the form of open source licensing. Courts say that licences aren't necessarily held as binding on people who did not see them, and industry practice says that Shrink-wrap and Open-source licences are delivered the only way we know how ...

To make this work, CAcert has to be very consistent, very repetitive, and very boring. CAcert has to point to the NRP-DaL at all times and in all places.

It starts with the website: the website must *PROMINENTLY* push the NRP-DaL.

(As well as getting it plastered all over the website, it is the Assurance team's responsibility to work the issue through with all Assurers (eg.., ATE, CATS), and PR's responsibility as well.)

CAcert Community Agreement

The second issue is our agreement, the CCA. This regime of community documents and policies was agreed fundamentally at the TOP in September 2007.

It needs to be put into place everywhere. The CAcert Community Agreement has to be made part and parcel of all processes. CCA1.1 specifies where agreement has to be got from the user, and these changes need to be implemented:

  1.1  Agreement

You and CAcert both agree to the terms and conditions in this agreement. Your agreement is given by any of

    * your signature on a form to request assurance of identity ("CAP" form),
    * your request on the website to join the Community and create an account,
    * your request for Organisation Assurance,
    * '''your request for issuing of certificates''', or
    * if you USE, RELY, or OFFER any certificate issued to you.

For this we need words like:

          I agree to the CAcert Community Agreement [ ]

in various places, see below. I suggest you stick to those words above exactly because (a) they are simple words, easy to understand, and good enough to get the message across, and (b) translation issues means we have to be consistent with the text for a long period of time, else everyone ends up with English.

Main Website

Totally Urgent and Important

These three fixes are holding back AUDIT

1. Root Certificate Download Page:

When downloading the Root Certificate, there should be prominent access to the NRP-DaL and a clear explanation that this is the licence under which the root can be USED.
Something like this text at the top:

    * As a member, your USE and RELIANCE is governed by the CCA.
    * For all non-members:  you may only download and USE under CAcert's Non-related person - Disclaimer and Licence.  You must not rely!

2. Certificate creation page (e.g., client certs)

when certs are created there needs to be a "I agree" checkbox as above
the old psuedo-agreement text needs to be cleaned out.
both server cert page (#10) and client cert (#3), the first 4 paras.
Something like this text could replace the four paragraphs.

    Your use of a certificate is controlled by the CAcert Community Agreement, the CPS and other policies.  Please see /policy/

3. Old psuedo-contract text needs to be cleaned out from the website. This is a bit more difficult because it needs to be identified and replaced with something else. (E.g., see example in 2. above.) Let's look at this when the above 2 parts are done, or see the bugs filed on this issue.

Not Absolutely urgent but still quite important

These are not audit issues, but important business issues. They remove unprofessionalisms and confusions, and replace with certainty and clarity:

Join CAcert.org menu
- Under that menu, add:
  - Disclaimer & Licence, with text like "for non-Members"
  - with this URL: http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
Policies
- Privacy Policy
  - needs to be moved into the /policy/ framework
  - and away from http://www.cacert.org/index.php?id=10 ; drop that page
  - fix up the link at bottom of page to point to new /policy/
Also, for all those buttons/pages, can you put on a PRINT button that prepares a HTML page that doesn't include the advertising and the menu items to the right?
- The raw HTML policies should be in that directory as that is the agreed format in the Document Standard.
- there should be some meta data on the /policy/ page.
add a link under the About to Principles of the Community pointing to the svn page?
Points System
- Please DROP the Point System from the main page menu, as it is neither a Rule nor Policy page, and is out of date. (it is in the Miscellaneous ... should be on the wiki anyway, deferring to the Assurance Handbook.)
- Alternatively change the title to "Types of Certificates"
- Should ask Ted to review and rewrite that page?
COAP form should be adjusted to include the new "I agree to CCA" and reference to Assurance Policy or OAP inserted. It needs to be clear that both the Organisation Assurer and the Organisation itself accept and understand the issue. Also, OAP4.3 puts the onus on the Assurer to really make sure this part is covered, and that also needs to be recorded on the COAP form.

Also see the bugs system for another reading of the things that are needed (no time right now to cross-reference them).

CCA-patches Testing

2009-07-07 added CCA-patches to test1.cacert.at by dirk
2009-08-31 added CCA-patches tests reporting page

Additional changes noted

help page includes stuff that is better on the wiki. Probably the only thing that needs to be there is a pointer to help pages on the wiki, the mailing lists, the support email address, and a disclaimer.
Why is [ bugs database] in the About list? If it requires a login to access, it is not a general info for the public.
Move SSO help to wiki.
About CAcert.org
- Is this: About the CAcert Community ?
- Or About the Community?
- or just make it About to avoid complications...
- Association needs a link to its own page, separated clearly from Community .. somewhere

Notifications of Change

All Members need to be notified of the CCA.

This is a standard business requirement.
- If this is not done, then the CCA and the Members are in legal limbo.
- This weakens the power of the Arbitration to resolve issues, and increases the trauma and costs when problems occur.
This can be done by sending out an email to all Members
- Has this ever been tried? (No, but Assurers have been notified 20090522.)
- An old working practice (one hesitates to say "policy") was that no email would ever be sent out without a user initiation. This has to be struck down; business needs drive policy, not spammers.
- A text is needed.
- A mailout may require a significant support effort!
Potentially it could also be done by
- initiating a check whenever some user turns up on the website,
- and zeroing out the old users.
- as the last step is unlikely to happen any time soon, this is probably not a serious fashion.
- however, this last step should probably happen some time anyway.

Also note this related but non-CCA issue: All Assurers need to be notified of the new AP. This in effect may have happened on 20090522.

Complete!

20090831 added test reports for CCA patches page
20090707 new CCA-patches to test1 machine . Thanks dirk!
old CAP form was adjusted to include "I agree" and "assurance to AP". Thanks Dirk!
old Assurers were notified of the Challenge 20090522.
Assurers without the Challenge were turned off.
Assurance Policy moved to the main website
within the About CAcert menu main page, change the title of NRP-DaL to full: Non-related Persons - Disclaimer and Licence or where that is unlikely to work NRP - Disclaimer and Licence.
Join page
- On Join page there must be a question to effect of:
- "I agree to the CAcert Community Agreement [ ]"
Policies: Policy on Policy added to /policy/ as http://www.cacert.org/policy/PolicyOnPolicy.php
Main page: Intro text rewritten (the whole first 4/5 paras)
fixed minor URL bug in CCA, now points to POLICY DRP.
from Join menu, CCA linked with title Community Agreement
link from main About menu points to /policy/ title named "Policies"
Following policies now in /policy/ directory:
- Non-related Persons - Disclaimer and Licence
  - with this URL: http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
- CAcert Community Agreement
  - http://www.cacert.org/policy/CAcertCommunityAgreement.php
- Dispute Resolution Policy
  - http://www.cacert.org/policy/DisputeResolutionPolicy.php
- Organisation Assurance Policy
  - http://www.cacert.org/policy/OrganisationAssurancePolicy.php
(Contact info, postal address is now changed!)

references:

Project/CCApatchesTesting

Inputs & Thoughts

YYYYMMDD-YourName

Text / Your Statements, thoughts and e-mail snippets, Please

YYYYMMDD-YourName

Text / Your Statements, thoughts and e-mail snippets, Please