Role of this document
The real current full policy is at Organisation Assurance Policy. This page is for rethinks, discussion, etc as to changes to OAP. This wiki page is not policy.
Criticisms of OAP
Recently, some criticisms in Organisation Assurance Policy have emerged, leading to a rethink and a need for a make-over of OAP. Here are the bugs (from Audit/CommunityReport20081007 2.4):
- the verification of the commonName needs to be documented according to (new) policy group decision that all information is to be verified.
- the relative responsibilities need to be laid out in the OAP:
- Organisation Assurer,
- O-Admin,
- Organisation, and
- the individuals inside the organisation.
- it has been suggested that a feature of automatic certificate populating is in place. These needs to be documented and tied into the various policy statements: verification, keys security, etc.
the procedure for doing the OA needs to be documented, in much the same way as the the Assurer's Handbook does it for Individual Assurance. The OrganisationAssuranceManual may be a good starting point for that.
Specifically, Audit is proceeding on the basis that OAP will not be part of the current cycle.