See Policy for the main wiki page for the Policy Group.
How Policies are formed
See Policy on Policy which describes that policies are formed and approved by the policy mailing group.
Relationship to other CAs
Why using the policies of other CAs is hard
If I may voice a personal opinion, it seems like we're almost reinventing the wheel. My overall understanding of CAcert's policies is that they seem quite similar to other CAs, specifically Thawte -- Thawte has a very similar Web of Trust and similar criteria for assuring users.
All CAs do more or less the same thing: issue certs for browser users, etc. So similarities in policies are unavoidable, and reinventing the wheel is a given to some extent.
To some extent, CAcert modelled its WoT after Thawte, so it would be no surprise if the result was similar. (And, of course, Thawte modelled their WoT after PGP's WoT.)
On the wider question of whether CAcert should simply copy others' wheels, certainly there is no problem with reading and learning from those policies, but it can only go so far for a couple of reasons:
- policies of other CAs are generally oriented to a different goal -- commercial / making money.
other CAs are generally oriented to either national criteria or criteria such as Web-Trust. CAcert is oriented to http://www.rossde.com/CA_review/DRC which has different emphases.
As CAcert has a very different arrangement as far as risks, liabilities and obligations (such as not taking fees, buying insurance, being able to hire & fire) then it has to think fairly carefully about any proposal from the more commercial CAs out there.
For example, if you have a look at Thawte's replying party agreement (look here), you will discover it is not useful for CAcert, because we already have chosen a different path. For Thawte, random users on the net are permitted to rely if they agree to that relying party agreement, where as in CAcert's Community, only members are permitted to be relying parties. For us, the net users are covered in the RDL which gives them a limited right to download and distribute the roots, with some limitations. They may not RELY. While there are similarities in structure -- those unknown Internet browser users both have a simple, short document which states what they can do -- the differences are critical.
Can the Policies be re-used by others?
Yes, they are issued under an open licence. See EggPol for details.