NOTA BENE - WORK IN PROGRESS - Your Inputs & Thoughts
To Brain Study - To Brain Study - Overview Projects - To Technology Laboratory COrbitCA - To comma Workbench COrbitCA
COrbitCA - CAcert.org Account Holders CCA Completing Campaign - Brain Background
- COrbitCA, short for CAcert.org Account Holders CCA Completing Campaign
- In order to get all CAcert.org Account Holders under CCA for Audit purpose, Technology will develop / patch necessary
- This list of changes is now at version 8. Much stuff is done, see bottom.
Project Flow
- Bullets Description
Preamble
- There are two major changes that we need to get out to the world: The NRP-DaL to "everyone" and the CCA to our members.
- Audit-blocking summary:
The above are required by audit. (See AuditToDo for others.)
- Now read on for more explanation.
RDL
- Root Distribution License (replaces NRP-DaL in July 2010)
The Root Distribution License defines how the Roots can be distributed, that Non-Members are prevented to rely on Certificates (see NRP-DaL below). To rely on Certificates, users have to become a member.
OLD (outdated)
The use of the [[http://www.cacert.org/policy/NRPDisclaimerAndLicence.php|Non-Related Persons -- Disclaimer and Licence]] to reach out to the people we can't reach to ... is "novel". That means, we are in an area where the courts don't necessarily agree with our approach, but there is custom in the industry, in the form of open source licensing. Courts say that licences aren't necessarily held as binding on people who did not see them, and industry practice says that Shrink-wrap and Open-source licences are delivered the only way we know how ... To make this work, CAcert has to be very consistent, very repetitive, and very boring. CAcert has to point to the NRP-DaL at all times and in all places. It starts with the website: the website must '''PROMINENTLY''' push the NRP-DaL.
- (As well as getting it plastered all over the website, it is the Assurance team's responsibility to work the issue through with all Assurers (eg.., ATE, CATS), and PR's responsibility as well.)
CAcert Community Agreement
- The second issue is our agreement, the CCA. This regime of community documents and policies was agreed fundamentally at the TOP in September 2007.
It needs to be put into place everywhere. The CAcert Community Agreement has to be made part and parcel of all processes. CCA1.1 specifies where agreement has to be got from the user, and these changes need to be implemented:
1.1 Agreement You and CAcert both agree to the terms and conditions in this agreement. Your agreement is given by any of * your signature on a form to request assurance of identity ("CAP" form), * your request on the website to join the Community and create an account, * your request for Organisation Assurance, * '''your request for issuing of certificates''', or * if you USE, RELY, or OFFER any certificate issued to you.
- For this we need words like:
I agree to the CAcert Community Agreement [ ]
in various places, see below. I suggest you stick to those words above exactly because (a) they are simple words, easy to understand, and good enough to get the message across, and (b) translation issues means we have to be consistent with the text for a long period of time, else everyone ends up with English.
Main Website (Software Changes)
Totally Urgent and Important
These three fixes are holding back AUDIT
Change 1. Root Certificate Download Page:
- When downloading the Root Certificate, there should be prominent access to the NRP-DaL and a clear explanation that this is the licence under which the root can be USED.
- Something like this text at the top:
* As a member, your USE and RELIANCE is governed by the CCA. * For all non-members: you may only download and USE under CAcert's Non-related person - Disclaimer and Licence. You must not rely!
Change 2. Certificate creation page (e.g., client certs)
Your use of a certificate is controlled by the CAcert Community Agreement, the CPS and other policies. Please see /policy/
Change 3. Old psuedo-contract text needs to be cleaned out from the website. This is a bit more difficult because it needs to be identified and replaced with something else. (E.g., see example in 2. above.) Let's look at this when the above 2 parts are done, or see the bugs filed on this issue.
Not Absolutely urgent but still quite important
- These are not audit issues, but important business issues. They remove unprofessionalisms and confusions, and replace with certainty and clarity:
Join CAcert.org menu
- Under that menu, add:
Disclaimer & Licence, with text like "for non-Members"
with this URL: http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
- Under that menu, add:
- Policies
- Privacy Policy
- needs to be moved into the /policy/ framework
and away from http://www.cacert.org/index.php?id=10 ; drop that page
- fix up the link at bottom of page to point to new /policy/
- Privacy Policy
- Also, for all those buttons/pages, can you put on a PRINT button that prepares a HTML page that doesn't include the advertising and the menu items to the right?
- The raw HTML policies should be in that directory as that is the agreed format in the Document Standard.
- there should be some meta data on the /policy/ page.
add a link under the About to Principles of the Community pointing to the svn page?
- Please DROP the Point System from the main page menu, as it is neither a Rule nor Policy page, and is out of date. (it is in the Miscellaneous ... should be on the wiki anyway, deferring to the Assurance Handbook.)
- Alternatively change the title to "Types of Certificates"
- Should ask Ted to review and rewrite that page?
COAP form should be adjusted to include the new "I agree to CCA" and reference to Assurance Policy or OAP inserted. It needs to be clear that both the Organisation Assurer and the Organisation itself accept and understand the issue. Also, OAP4.3 puts the onus on the Assurer to really make sure this part is covered, and that also needs to be recorded on the COAP form.
Also see the bugs system for another reading of the things that are needed (no time right now to cross-reference them).
CCA-patches Testing
2009-07-07 added CCA-patches to test1.cacert.at by dirk
2009-08-31 added CCA-patches tests reporting page
2009-11-20 patches removed by dirk. Details on CCA-patches tests reporting page
Filed bugs
Bugs can also be searched: CCA
bug #505 CCA agree mark
bug #590 better text "join cacert" page
bug #589 deprecated agreement text "new certs" page
bug #715 mass-mail assurers
Closed:
bug #673 wot.php text => AP, Arb
Additional Changes noted
help page includes stuff that is better on the wiki. Probably the only thing that needs to be there is a pointer to help pages on the wiki, the mailing lists, the support email address, and a disclaimer.
- Why is [ bugs database] in the About list? If it requires a login to access, it is not a general info for the public.
Move SSO help to wiki.
- About CAcert.org
- Is this: About the CAcert Community ?
- Or About the Community?
or just make it About to avoid complications...
- Association needs a link to its own page, separated clearly from Community .. somewhere
Change 4. Notifications of Change
All Members need to be notified of the CCA
- This is a standard business requirement.
- If this is not done, then the CCA and the Members are in legal limbo.
- This weakens the power of the Arbitration to resolve issues, and increases the trauma and costs when problems occur.
- This can be done by sending out an email to all Members
- Has this ever been tried? (No, but Assurers have been notified 20090522.)
- An old working practice (one hesitates to say "policy") was that no email would ever be sent out without a user initiation. This has to be struck down; business needs drive policy, not spammers.
- A text is needed.
- A mailout may require a significant support effort!
- Potentially it could also be done by
- initiating a check whenever some user turns up on the website,
and zeroing out the old users.
- as the last step is unlikely to happen any time soon, this is probably not a serious fashion.
- however, this last step should probably happen some time anyway.
- Software team prefers to put in place a patch that records the agreements of the CCA. Currently delayed.
- This step has implications with account terminations.
- Likely this will result in may requests to terminate accounts.
- This may need to be incorporated in the announcement.
- Arbitration should be consulted about the work flow.
- Software should be consulted about patches to make this easier.
Also note this related but non-CCA issue: All Assurers need to be notified of the new AP. This in effect may have happened on 20090522.
Complete!
20091201 (related) bug #673 closed, completed: wot.php page has new text referring to Arbitration and Assurance Policy.
20091120 mega-patch testing programme
S T O P P E D
20090831 added test reports for CCA patches page
20090707 new CCA-patches to test1 machine . Thanks dirk!
- old CAP form was adjusted to include "I agree" and "assurance to AP". Thanks Dirk!
old Assurers were notified of the Challenge 20090522.
- Assurers without the Challenge were turned off.
Assurance Policy moved to the main website
within the About CAcert menu main page, change the title of NRP-DaL to full: Non-related Persons - Disclaimer and Licence or where that is unlikely to work NRP - Disclaimer and Licence.
- Join page
- On Join page there must be a question to effect of:
- "I agree to the CAcert Community Agreement [ ]"
Policies: Policy on Policy added to /policy/ as http://www.cacert.org/policy/PolicyOnPolicy.php
- Main page: Intro text rewritten (the whole first 4/5 paras)
- fixed minor URL bug in CCA, now points to POLICY DRP.
from Join menu, CCA linked with title Community Agreement
- link from main About menu points to /policy/ title named "Policies"
- Following policies now in /policy/ directory:
- Non-related Persons - Disclaimer and Licence
with this URL: http://www.cacert.org/policy/NRPDisclaimerAndLicence.php
- CAcert Community Agreement
- Dispute Resolution Policy
- Organisation Assurance Policy
- Non-related Persons - Disclaimer and Licence
- (Contact info, postal address is now changed!)
Inputs & Thoughts
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
YYYYMMDD-YourName
Text / Your Statements, thoughts and e-mail snippets, Please
Category or Categories