• Policy
• Tasks

Intro

This is the work page for policies or policy proposals that should get the attention of the Policy Group. It is part of the overall Policy area.

Organisation of Documents

Approved policies are at the main website.

See Editor's Guide to Good Policies for more info on where other documents are, and Controlled Document List for what documents are on the policy track. Other documents are typically labelled something else, such as Practice or Manual, to distinguish from PoP documents. Most of these are created by a parent policy, such as the AssuranceHandbook2 and the SecurityManual.

Priorities for Policy Group

1. Update Policy on Policies PoP (COD1)

2. Review appeal process in Dispute Resolution Policy DRP (COD7) - required by Arbitration ruling - addressed, did not come near to a consensus, no change to the DRP

3. Add some kind of privacy policy for the website - required by EU law, because our servers are running there

The priority for the following tasks has to be decided:

1. Review Assurance Policy AP (COD13)

2. Overwork Dispute Resolution Policy DRP (COD7)

3. Organisation Assurance
   • reveiw current subsidiary policies
   • add further subsidiary policies
4. Assurance Policy subsidiary policies:
   • Legacy Points Policy -- an anticipated policy to clarify the status of old pre-AP points.
   • Nucleus project

5. Review CPS (COD6)

As well as pure policy work, there are also process tasks:

1. Update Policy part of the wiki
2. Move policies away from software controlled area on the website - if PoP allows this

other Policies in need for a review

SP Security Policy is the document that controls all security processes.

• E.g., hardware, software, logging and root keys.

• Security Manual is now the "practices manual" that remains under the detailed control of the team leaders, and documents the detail of how they meet SecurityPolicy.

• SecurityManual authorises many Procedures which can be found by searching for Cetegory / Procedures (see the SM).

RDL or Root Distribution License There are some concerns about how the modification feature can be abused and whether we want to tighten that up. We also need a FAQ and a review of CCA. RDL action page.

PP Privacy Policy (COD5) As a policy, it was approved in principle by the CAcert Inc. Association Board before the PoP regime came into being. It is therefore in a special status which only approximates the current regime, and can be considered to be grandfathered in place.

CCS Configuration Control Specification (COD2) 'specifies what documents and processes are "controlled" for audit criteria purposes.

OAP http://www.cacert.org/policy/OrganisationAssurancePolicy.php is in full

• The OAP is now up for review, according to PolicyDrafts/OrganisationAssurance, as the OA area has exposed many weaknesses.

PoJAM: A subpol for Juniors:

• PolicyDrafts/PolicyOnJuniorAssurersMembers2 was version 2, PolicyDrafts/PolicyOnJuniorAssurersMembers was version 1.

TTP-Assist: Using TTPs to assist our Senior Assurers to complete their assurances remotely:

• TTP-assisted Assurance Policy is now in DRAFT.

• TTP Assurance Policy collects some old notes. Should deprecate and/or rewrite and/or rename.

• Remote Assurance Policy wip for some variation, now overtaken by TTP-Assist.

• Also see Remote Verification Policy wip for another variation, now overtaken by TTP-Assist.

Organisation Assurance Sub-Policies in DRAFT

Organisation Assurance Policy authorises the creation of sub-policies to describe different circumstances.

Europe

Sub Policy Organisation Europe - COD11EU covers European-style Registries.

• Note that this overlaps with some of the below, and they remain in force? Or are replaced?.
• OAP specifically permits overlap.

Germany

Sub Policy Organisation Germany - COD11DE states the information for Organisation Assurances for Germany.

• The Organisation Application (COAP form Germany) is available in PDF and Open Office format.

Australia

Sub Policy Organisation Australia - COD11AU states the information for Organisation Assurances for Australia.

• The Organisation Application (COAP form Australia) is available in PDF and Open Office format.

Ireland

Sub Policy Organisation Ireland - COD11EI states the information for Organisation Assurances for Australia. This policy draft has been voted for draft on 29nd of April 2008 on Policy Email list to DRAFT status.

Following may have been replaced by Europe subsidiary policy.

Holland

Sub Policy Organisation Holland - COD11NL states the information for Organisation Assurances for the Netherlands. This policy draft has been voted for draft on 18th of September 2007 on the TOP meeting and 22nd of October 2007 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form NL) is available in PDF and Open Office format.

Austria

Sub Policy Organisation Austria - COD11AT states the information for Organisation Assurances for Austria. This policy draft has been voted for draft on 8th of March 2008 on Policy Email list to DRAFT status.

• The Organisation Application (COAP form Austria) is available in PDF and Open Office format.

• The Organisation Application (general English COAP form, a template example) is available in PDF.

WIP - Work in Progress - Policies

All of these are 'open for comments' and need work. They are all intended for POLICY track.

• subsidiary policies for Organisation Assurance:

  . Norway

  has been requested.

  . United Kingdom

  has been requested.

  . Swiss

  has been requested. Some old notes may be in PolicyDrafts/SwissOASubPol.

• Nucleus (WIP)

• Code-signing Assurance Policy is being worked on. However, the CPS says that only Assurers can have Code-signing, so at least it has a workaround while the subsidiary policy is worked on.

Miscellaneous

referenced (policy) documents

(this needs some work...)

• Principles of the Community

  • As a Member of the CAcert Community one is further obliged to work within the spirit of the Principles of the Community.
  • This document is incorporated by referenced in CCA, so it takes on a sense of an important but not fiercely controlled document.

Not on the Policy Group task list...

• Definition of a Senior Assurer:

  • This question is now stabilised in the Assurance Handbook's definition.

  • Senior Assurer - an old trial definition and process for designating Assurers who are a more active part of the community, and more experienced.

  • Additional documents, with stricter/lesser Senior Assurer definitions, that contributed to our current definition can be found in the Minutes of the Assurance MiniTOP - Munich 20090517 and MiniTOP Assurance - Brussels 20100206.

• Co-Auditor - a definition and process for Assurers to help in the "Audit over Assurance" program to collect the evidence for an Auditor.

• policy on funding - rules and guidelines for managing funds, donations, expenses. Is this a policy, or an executive document? No, it is an Exec practice for the Board to deal with. Not really policy.

• Policy on Foundations This is really an Executive / Board practices document on "How to create and structure a supporting Foundation."

• PolicyDrafts/DigitalSigning and DigitalSignature - Notes on Design and Policy (ideas) to make Digital Signing work

  • This is unlikely to go Policy track.

  • Also see CARS.

• Governance is PhilippDunkel's exercise explaining the Governance lay out of the Community. It is currently more descriptive. If it were to be a policy, it might end up being a Constitution.

These above were all at one time considered questions for policy group.

Translations

Once a policy has reached a certain stability, the Community may desire to translate it. However note that the English version remains the policy. It is undefined how these translations are delivered, and Members will need to rely on the English version.

• CCA Translations

• PoJAM Translations

None of these are as yet identified and started on the policy track.

• CategoryAudit

• CategoryPolicy