• PolicyDecisions

Decisions by Policy Group

According to Policy on Policy, Policy Group can make decisions concerning policies. This list tracks formal (voted) decisions made in most-recent-first order. See also Policy and DecisionNumbers.

p20111113 CPS #7.1.2 "Certificate Extensions" adjustments

MichaelTänzer: Resolved,

• that the CPS section 7.1.2 is changed as stated on https://wiki.cacert.org/PolicyDrafts/CPSKeyUsageChanges

Motion CARRIED. Consensus of 24:0. Voting closed 20111128.

• Jason voted twice, both aye, so only one counts
• dirk voted twice, both aye, so only one counts

p20110108 DRP #3.4 Appeal handled by Arbitrators

Iang: Resolved,

• that DRP 3.4 be changed to state the following:

  • "3.4 Re-opening the Case or Appeal

  • In the event of clear injustices, egregious behaviour or unconscionable Rulings, a review may be requested by filing a dispute. The new Arbitrator reviews the new dispute, re-examines and reviews the entire case, then rules on whether the case may be re-opened or not.

  • If the Review Arbitrator rules the case be re-opened, then the Review Arbitrator refers the case to an Appeal Panel of 3. The Appeal Panel is led by a Senior Arbitrator, and is formed according to procedures established by the DRO from time to time. The Appeal Panel hears the case and delivers a final and binding Ruling."

• as shown in BLUE at our wip copy of the DRP.

Motion is CARRIED. Voting closed 20110126.

Voting opened 20110123. voting.

p20101009 Changes to CCA for RDL

Iang: Resolved,

• that we take to binding DRAFT the changes listed in our wip-copy of CCA, as shown in BLUE. These changes are primarily alignments with the new Root Distribution License, and some tidy-ups.

Motion is NOT carried. Voting closed 20101024. Requests to postpone from Uli and Nik are treated as NAYS. Motion posted.

p20100913 TTP Assisted Assurance Subpolicy

Ulrich: Resolved,

• that the TTP Assisted Assurance Subpolicy be approved to DRAFT.

• including the changes recorded in blue.

• This version is based on the new deployment version started back in December 2009 Hamburg-MiniTOP.

Motion CARRIED. Consensus of 24:0. Voting closed weekend 20100926.

p20100722 License our Policies under CC-BY-SA-3.0-AU

Iang: Resolved,

• That we request CAcert Inc (Board) to licence our policy work under "Creative Commons Attribution-Share-Alike" license, at least. The license short form is "CC-BY-SA", being the 3.0-AU variant.

See PolicyDrafts/DocumentLicence Alternative 2.

Motion CARRIED. Consensus of 6:1. Voting closed weekend 20100801. Request sent to board meeting 20100801. Board agrees!

p20100710 License root under Root Distribution License

Iang: Resolved,

• that the Root Distribution License be approved to DRAFT, and that it become the only way in which the Roots of CAcert can be distributed.

• Further, that Non-related Parties - Disclaimer and Licence be withdrawn entirely and immediately, fully effective on finalisation of this motion. The purpose of the NRP-DaL is entirely replaced by the RDL.

• Further *, that policy group move to modify the CCA to clarify that USE and OFFER include a standard for correct operation, and this will likely involve sharing of roots by OFFER of Members, and USE of roots by NRPs.

• Finally, that other proposals (CC-BY-ND and 3pv-DaL) be taken off the table. Policy group contributors and editors are thanked for thought-provoking comments and useful debate.

* 3rd paragraph added 20100716, mid-vote, with rough consensus.

Motion CARRIED. Consensus of 15:3. Voting closed weekend 20100724.

p20100627 License root under CC-BY-ND

Sascha Thomas Spreitzer: Resolved,

• The CACert root certificates are licensed under the "Creative Commons Attribution-No Derivative" license. The license short form is "CC-BY-ND".

Adverse comments seen from Kyle and Nathan, but no call.

NOT Carried. With 8 to 6 in favour, rough consensus is not established. Closed 20100710.

p20100624 CCA defining "CAcert Services"

Daniel: Resolved, {1},

• The following definition be appended to 0.1 Terms of the CCA

  16. "CAcert service" is a service related to the certificate issuing and assurance
  of CAcert members, run by CAcert, for the exclusive benefit of members.  Services
  provided by members to the community or CAcert which are sold, or made available
  to non-members, in a substantially similar form are not considered CAcert services.

NOT Carried.

p20100510 Security Policy to DRAFT

Iang: Resolved,

• that, Security Policy goes to DRAFT,

• including the changes recorded in blue.

Motion CARRIED. Voting closed weekend 20100606.

p20100426 CCS to DRAFT

Iang: Resolved,

• that, Configuration-Control Specification (CCS) goes to DRAFT

Motion is carried, 13 to 2. Closed 20100517.

p20100401 VETO takes a policy to WIP Document

Iang: Resolved,

• That, when a DRAFT policy is vetoed under PoP 4.6, the policy status is terminated and the document reverts to Work-In-Progress under PoP 3.

Motion is Carried, 14 to 2, on 20100411.

20100327 Remove Board background checks from DRAFT Security Policy -- VACATED

Daniel Black: Identified that board background checks conflict with Association Rules

By rough consensus the issue of background checks of board members is resolved as follows: This purported decision does not reach the standards of Policy on Policy and and is vacated 20100330. If any further deliberations are required they should be done by a proper vote before policy group. Board should abstain. Elsewise, refer to dispute resolution procedures in PoP.

p20100326 Security Policy to remain in DRAFT

Iang: Resolved,

• According to PoP, a policy can only be in DRAFT for a year ... Security Policy reaches this milestone this Saturday, following p20090327.

• Now, there are some marked up suggestions in BLUE that have not been voted upon. These basically add an "Application Engineer" who is responsible for the application. We would need to make a bit of a decision here as to which way we want to go.

1. Keep SP in DRAFT for another period, and re-work those BLUE sections.

2. Accept the BLUE, and go to POLICY.

3. Discard the BLUE as not voted, and go to POLICY.

4. Or?

Vote closed 20100326. Security Policy remains in DRAFT.

p20100306 Policy Officer makes minor adjustments

Iang: Resolved,

• A Broken URL in a policy requires a change under the rules in PolicyOnPolicy. So policy group has to change it. It is actually a change that is needed in a lot of places. We could:

  1. read the policy, make the changes needed, vote it thru.

  2. vote a blanket decision that Policy Officer may change URLs to track any links that move in any existing policy.

  3. vote a blanket decision that Policy Officer may make the following changes, where it is clear that the change does not change the policy:

     1. URLs to track any links that move,

     2. grammatical errors,

     3. anchors, HTML errors & formatting,

     4. COD numbers and formatting

     5. other minutiae,

  4. make a formal change to Policy on Policy to incorporate the style of 3 or 2 above, as was proposed here.

Vote closed 20100306. Option 3 is carried with 8 Ayes. Policy Officer may make minor adjustments:

p20100120 Assurance Policy: require government ID

Alexander: Resolved,

• The current assurance policy is not clear enough about what is acceptable and what is not to verify a person's names.

• RESOLVED, that section 2.2 of the AP is to be amended with the following:

• "Except for different names due to marital status, and except for exclusion of middle names, the deviation from section 2.1 should be for technical reasons only."

Vote Aye if you want the AP to be clear about what is allowed and what is not, and specifically require a match with government issued ID.

Vote Nay if you prefer to leave this an open question and allow names which are not in government issued ID.

Not Carried.

• Note 1: there were arguments that not all countries issue government ID's for everyone and hence this proposal is discriminatory. There is discussion for a new proposal that would only handle those countries that do issue them, to at least be clear about those, for example a Europe subpolicy.
• Note 2: Some (Iang, Mario, Pieter, Faramir) have in my opinion showed arguments that they may be in favor of a new proposal, for Europe only.

p20100119 PoJAM to DRAFT

Ulrich: Resolved,

• We've discussed the PoJAM a lot in past. I call on Policy Group to bring back our Juniors:

• Therefore, RESOLVED to approve to DRAFT status (under PoP) the Policy on

Junior Assurers / Members, also known as PoJAM, here:

• https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html

Vote closed 20100130. The decision is carried with 14 Ayes, 2 Nays. PoJAM moves to DRAFT

• Morten Gulbrandsen voted twice, both Aye, last counts:

• 1st Date: Tue, 19 Jan 2010 20:37:11 +0100 https://lists.cacert.org/wws/arc/cacert-policy/2010-01/msg00100.html

• 2nd Date: Thu, 28 Jan 2010 01:08:24 +0100 https://lists.cacert.org/wws/arc/cacert-policy/2010-01/msg00151.html

• Aye votes: {1}, Alexander Prinsier, Morten Gulbrandsen x1), Dominik George, Ulrich Schroeter, Joost Steijlen, Ian Grigg, Tomáš Trnka, Bernhard Fröhlich, Faramir, Brian McCullough, Martin Gummi, Nathan Edward Tuggy, Raoul Xavier Boerlage

• Nay votes: || Hans Verbeek, Martin Schulze

p20100113 Stop issuing class3 certificates

Daniel: Resolved,

• Proposes that: CAcert stops issuing Class3 certificates

Voting closed on 20100119 due to new information m20100117.3. Not carried, NO consensus.

• Aye votes: Daniel Black Philipp Dunkel Guillaume Romagny, Pieter, Andreas

• "Middle" Abstentions: Dominik, Alexander

• Nay votes: Iang-reasons RaoulXavierBoerlage, Gero, Mario, Philipp G, Ted, Lambert, Tomáš Trnka, Faramir, Morten

p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets

Daniel: Resolved,

• The following modifications be made the DRAFT CPS, http://svn.cacert.org/CAcert/policy.htm, before it is copied as per p20091106:

In: 1.4.5. Roots and Names

the text ", IDN" is to be removed from the table.

Add after section 3.1.6 the following text:

3.1.7. International Domain Names

Certificates containing International Domain Names, being those containing a ACE prefix (RFC3490 Section 5), will only be issued to domains satisfying one or more of the following conditions:

• The Top Level Domain (TLD) Registrar associated with the domain has a policy that has taken measures to prevent two homographic domains being registered to different entities down to an accepted level.
• Domains contain only code points from a single unicode character script, excluding the "Common" script, with the additionally allowed numeric characters [0-9], and an ACSII hyphen '-'.

Email address containing International Domain Names in the domain portion of the email address will also be required to satisfy one of the above conditions.

The following is a list of accepted TLD Registrars:

(insert table from http://www.mozilla.org/projects/security/tld-idn-policy-list.html)

This criteria will apply to the email address and server host name fields for all certificate types.

The CAcert Inc. Board has the authority to decide to add or remove accepted TLD Registrars on this list.

In 3.2.2. Authentication of Individual Identity remove the portion of the table containing:

IDN  |  Can create International Domain Name (IDN) certificates

Carried. Vote closed 20091115 with consensus of 10 Ayes. Implemented!

p20091106 CPS to be placed on the main website

Iang: Resolved,

• The existing document under http://www.cacert.org/cps.php be removed.

• The DRAFT CPS located at http://svn.cacert.org/CAcert/policy.htm be copied onto the website location at http://www.cacert.org/policy/CertificationPracticeStatement.php (and be recopied from time to time at policy group's discretion).

• The URL at http://www.cacert.org/cps.php be permanently redirected to the final home of the CPS at http://www.cacert.org/policy/CertificationPracticeStatement.php

• This is a one-off to remove the confusing effect of the now-deprecated document at http://www.cacert.org/cps.php .

Carried. Vote closed 20091115 with consensus of 13 Ayes.

p20090706 CPS to DRAFT

Philipp: Resolved,

• Therefore I would like to motion that unless there is dissent by 1 week from now (2009-07-06) we consider that the CPS has passed into DRAFT status.

Vote closed 20090706 with consensus of 16 AYES.

• Votes for PD, Alejandro, Guillaume, Robert, Greg and Evaldo were assumed from from Board's m20090614.6

p20090327 Security Policy to DRAFT

Philipp: resolved,

• I am proposing this new Security Policy to pass it into DRAFT. The Policy WIP can be found at https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html

Within the Security Policy there are a lot of references to the Security Manual. If you want to have a look at the current state of that, you can find it at SecurityManual

Vote closed 20090327 with consensus of 11 Ayes.

p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars

Teus: Resolved,

• Proposal has been acknowledged by three Danish Assurers. CAcert board and OA Assurance manager were involved to overview first Organisation Assurance.

p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars

Teus: Resolved,

• Proposal has been acknowledged by two Belgian Assurers. CAcert board and OA Assurance manager were involved to overview first Organisation Assurance.

p20090105.2 Assurance Policy status: POLICY

Philipp: Resolved,

• Proposal to accept Assurance Policy as POLICY has been voted on. Votes ended 24th of December 2008.

(AP is now on main website.)

p20090105.1 Methods to check Domain/Email Control and Ownership

Philipp: Resolved,

• Proposal to adapt in the Certificate Policy Statement (CPS) email/domain checks is accepted:

1. CAcert will check whether an individual has control of the email address requested for certificate inclusion within 24 hours a client certificate is requested and may check at any time thereafter.
2. In order to get a certificate issued by the *Community Member Subroot* the member must have been assured at least once and received at least one point. This ensures that the member has physically signed the CCA.
3. In order to have their Name included in a client certificate or have a certificate issued by the *Assured Community Member Subroot* the member has to have been assured to at least 50 points.
4. In order to have a server certificate issued by any subroot at least 2 of the following checks have to be completed successfully:
   1. E-Mail Ping sent to an administrative email address from WHOIS
   2. DNS Cookie
   3. HTTP Cookie
   4. Statement of at least 2 assurers about ownership/control of the domain name
   5. The RFC addresses.

Closing date for votes was 24th of December 2008. CARRIED.

• Philipp G abstained on point 4 only.

p20081016 All Information in Certificate is Verified

Teus: Resolved,

• To adopt the following principle as policy:

  • All information in the certificate is verified.

• Verification means one of the following:

1. Assurance, as per Assurance Programme and Assurance Policy (e.g. Name).
2. "Evaluation" as per Certification Practice Statement (e.g. domains, email address).
3. Control, as per Certification Practice Statement (e.g. serial numbers, etc.).
   • (The word "Evaluation" may be replaced at a later time by a term more suitable.)

• Carried. Closed with 10 for, none against.

p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT

Teus: Resolved,

• Organisations registered with (CAcert) approved (and official) trade office registry can apply for CAcert Organisation Assurance. Countries with Approved Registry: Austria, Finland, France, Ireland, Netherlands, Sweden, United Kingdom, Norway.

Votes: consensus

• Comment: Appendix 2 with tables of not yet approved countries and registries is not part of the sub-policy and is for information only. Organisation Assurers handbook and Organisation Assurance wiki will have detailed information about regsitry company search, trade office extract costs, etc.

p20080917.1 Drop wildcards for unassured Members

Iang: Resolved,

• Wildcards are to be dropped as features available to unassured Members.

Carried. Votes: 7 Ayes. 2 Nays. 1 Abstained.

20100708: Iang Following request for review of thread by Philipp G, the text and subjectAltNames was dropped from decision (2nd and 3rd words).

p20080917.2 Expiry times on Certs

Iang: Resolved,

• Expiry times on certs to be limited to:
  • 6 months for unassured Members
  • 24 months for Assured Members

Votes: 5 Ayes.

Note, this motion originally included 12 months only for code-signing

• Votes: 4 Ayes. 1 Nay.

• Philipp G pointed out that there is currently no check on code-signing for a different expiry, so it is 24 months. Therefore, because it was misrepresented in debate as being the current situation, the above vote on 12 months only for code-signing should be treated as suspect and revisited in the future.

p20080712.1 Assurance Policy

Teus: Resolved,

• Proposal for Assurance Policy to move from WIP to DRAFT status.

Votes: 9 Ayes, 1 Nay, 4 Abstentions. It is not clear who the Abstentions were.

p20080429.1 Organisation Assurance Sub-Policy for Ireland

Teus: Resolved, that:

• Proposal to put Organisation Assurance WiP sub-policy for Ireland to DRAFT status.

Votes: 4 Ayes, no rejections or further comments.

p20080402.1 Organisation Assurance Sub-Policy for Australia

Teus: Resolved,

• Proposal to put Organisation Assurance WiP sub-policy for Australia to DRAFT status.

Votes: 3 Ayes, no rejections or further comments.

p20080401.1 Policy on Organisation Assurance

Teus: Resolved,

• Proposal to change the DRAFT OA policy with: OA Officer appointed by CAcert Board, OA Advisor (150 point Assurer) can become OA Assurer and OA Advisor can advise for organisation assurance when no OA Assurer is available.

Vote closed: only Ayes.

p20080401.2 Proposal to drop Date of Birth

Teus: Resolved,

• Should CAcert drop the DoB on the form, and in the archive?

Vote closed: 4 Ayes, 3 Nays. some not clear votes (Rasika): 1 Aye, 2 Nay

Conclusion: Not Carried. DoB is not dropped.

p20080308.1 Organisation Assurance sub-policy for Austria

Philipp G: Resolved, that:

• Proposal for Organisation Assurance sub-policy for Austria draft. Author: Philipp Gühring. Decided on the policy email list. The last version of the sub-policy.

Votes closed: Ayes: 2 from Austria, no rejects or comments.

p20080204.1 Policy On Policy

Iang: Resolved,

• Policy on Policy goes to POLICY status.

Carried. Vote called, closed.

p20080128.1 Assurers are individuals not organisations

Iang: Resolved,

1. Assurers are individuals, not organisations.
2. Organisation Assurers are individuals, too.
3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes.

In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people.

Carried. Closed.

p20080109.1 CCA to POLICY status

Teus: Resolved,

• CAcert Community Agreement is now POLICY status.

This means that the DRAFT copy moves to the POLICY copy.

Carried. 5 Ayes, 0 Nays. called, last call, final call.

p20080106.1 Members

Iang: Resolved,

• To adopt the following naming of participants:

  • User	A person not registered with CAcert who accesses a CAcert protected website, etc.
    Community Member	A person who is registered with CAcert
    Association Member	A person who is a member of CAcert Inc.

• (9 Ayes, 0 Nays, 1 Abstention?)

  • called, closed

• This vote was also notified to board, and no response seen.

• Community Member may be written in short as Member and is implied.

• Association Member should be written in full. The Association may choose another term at their discretion.

p20080104.1 Contributions

Teus: Resolved,

• Change PoP Contributions clause to:

  • 6.2 Contributions to formally controlled documents such as Policies are transferred fully to CAcert Inc. Copyrights and similar intellectual property rights required to incorporate the Contribution are either transferred to CAcert Inc, or, are issued and contributed under free, open, non-restrictive, irrevocable, exclusive, and clear licence to CAcert Inc. In all cases, CAcert Inc licenses the contributions back to the community under an open licence.

(5 Ayes, 0 Nays)

Carried. started, last call.

p20071217.1 Multiple Names

Teus: Resolved,

• Multiple names are permitted and need to be assured per name.

Commentary. This means that the accounts and Assurance process should be adjusted to cope with multiple names. Assurance Policy suggests 50 points for each name.

This vote was called but also declared as consensus: 1, 2. The vote was not properly documented in mail archives, therefore would not be called a voted decision.

p20071107.1 Privacy

Jens Paul: Resolved, that:

• Change CCA Privacy clause to:

1.4  Privacy

You give rights to CAcert to store, verify and process and publish your data in accordance with policies in force. These rights include shipping the data to foreign countries for system administration, support and processing purposes. Such shipping will only be done among CAcert Community administrators and Assurers.

Privacy is further covered in the Privacy Policy (PP => COD 5).

Carried. Ayes: 3. started (actually, it was started in Advisory meeting and this post carried it into Policy Group, from memory, iang), closed.

p20071207.1 Organisation Assurance sub-policy for the Netherlands

Teus: Resolved,

• the Netherlands sub-policy for Organisation Assurance to DRAFT. Author: Teus Hagen.

called. Decided on policy email list by consensus, no votes seen. The last version of the sub-policy.

p20071022 Organisation Assurance sub-policy for Germany

Teus: Resolved,

• Germany sub-policy for Organisation Assurance to DRAFT. Author: Jens Paul.

Carried. called and closed.

Added retrospectively from mail archives 20100610. This decision was redone from one improperly recorded in TOP.

---

Some reminders of policy decision taken by other means

p20070918.1 Policy on Organisation Assurance

Jens Paul: Resolved,

• Proposal for first Organisation Assurance Policy draft.

Decided upon by decision of CAcert TOP meeting September 2007: m20070918.x.

p-XXX-20070918.2 Organisation Assurance sub-policy for Germany

Jens Paul: Resolved,

• Proposal for first Organisation Assurance sub-policy draft for Germany.

Decision made in CAcert TOP meeting Septmber 2007, m20070918.y but unrecorded. Re-done on policy group, 22nd of October 2007 on Policy email list as decision #p20071022 above.

deprecate this section.

m20060629 Privacy Policy (PP) (COD5)

Info out of https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html

---

• CategoryAudit

• CategoryPolicy

• CategoryDecisions