Policy-Discussion

[Ian G <iang AT systemics.com>]

Bernhard Froehlich wrote:
> If  "personal standards not matching the official line" are making it 
> into very official looking documents on the official CAcert website it 
> indeed sounds like quite a problem to me. How can I know where to look, 
> just in case I to have a definitive statement? The next time I ask the 
> same question here I may receive an answer pointing me to the CPS. How 
> about marking the CPS invalid if it is so?

Bernhard, sorry to be so tough on you here but I have to 
thump the desk!

*The CPS has to be the definitive statement*.  If it is not 
... if there is any suggestion that the document known as 
the Certificate Practice Statement is not the place for 
definitive statements ... then you are not following the CA 
conventions.

The whole culture of the CA concept -- the communication, 
the expectations, the legal foundation -- is built around 
the CPS.  This is the document that is at the root of the 
audit process, and also the root of any vendor's decision to 
distro the root.  It is the primary document to inform all 
other documents *and practices* and people.

If you are suggesting that the CPS -- the Certificate 
Practice Statement -- isn't definitive then you are saying, 
in effect, to the rest of the world that:

      "CAcert is not a CA."

Sure, you can say that .. but now you are inventing a new 
concept, and you should re-label it and you absoluteley 
definately *should not* tell the browsers, etc, that you are 
a CA and that you want the root to be incorporated.  That 
would be deceptive.

Can we get that part clear?

    As a CA, your CPS is the official, definitive last word.

If there is anything that someone wants official or standard 
or good, then it either has to be *in the CPS* or pointed to 
by the CPS and aligned with the CPS.

The CPS overrules practically everything else.

(nb1.  See also Willi's comments about version control and 
authority to make changes, etc.)

(nb2.  You could of course be saying that CAcert's CPS is 
inadequate ... sure, that would be a very fair thing to say, 
and I recall it is still draft and there are some missing 
bits like an entire chapter on security.  As a practical 
issue, I think the current draft of the CPS is here:
http://www2.futureware.at/svn/sourcerer/CAcert/policy.htm
It's draft status reflects in part that there are things 
missing .. so if there are, then that should be fixed. )

But what you absolutely cannot say is that the CPS says one 
thing and "official policy" says another.  That's a basic 
contradiction, it means you are out of order, not a CA, not 
using the language ...

iang