Policy-Discussion

[Ian G <iang AT systemics.com>]

Jens Paul wrote:
> Hi!
> > Hi,
> >
> > Jens Paul, 28.02.2007 14:15:
> >   
> > > So again: if we have that topic on CeBIT I have to file I dispute in 
> > > order to tell an assurer that the CPS is the highest document and he has 
> > > to assure according to that policy.
> > >     
> > it will be the top document. But AFAIK the CPS is still a draft and has
> > not been adopted yet and therefore not mandatory. Right?
> >
> >   
>
> I could not find any "draft" statement on the CPS, only an "interim" 
> statement on the dispute resolution policy. So it seems to be adopted.
>
> About the "top document" topic: I see that we can point to the policy 
> itself on this issue: "The CPS is an authoritive document, and rules 
> other documents expect where explicitly deferred to".´So we only have to 
> hope that everyone can read english ...

Hmmm, I recall that.  Sven asks a key question.

Here's the story, as far as I know and recall...:

When the audit process started, there were big problems with 
the CPS.  To cut a long and painful story off at the knees, 
it needed to be rewritten from scratch.  Christian did good 
stuff, and it wasn't his fault ... circumstances beyond 
control and all that.

(The rewritten document is that which is on the 
futureware.at site.  The original document that needed to be 
rewritten from scratch is on the CAcert site.)

The rewritten CPS is unfinished;  the major part missing 
from memory is the security section, which by rights depends 
on the "Security Manual".  So when the SM is ready, this 
will be presumably integrated into the CPS.

Meanwhile, the whole process of approving documents was very 
tough, as was getting comment on any document ... which is 
one of the factors that has led to the re-organisation of 
CAcert's internal management.  There is now a new 
policy-on-policy which suggests the IETF process of 
consensus on this very group (pay attention!) which will 
presumably be applied to the CPS when finished.  And, anyone 
can chime in and read the CPS and suggest changes...  Please do!

So...

what's the connection with "the real world of Assurers" ?

One of the discoveries of the CPS process was that it was 
very very hard to tie down a security/reliance statement. 
And so the CPS "wimped out" to use the strine and instead of 
nailing down Assurance, it pointed to the wiki, in 
particular in the form of the "Assurance Handbook."

Let's summarise.

Audit  ==>  CPS  ==>  Assurance Handbook

The Assurance Handbook is "authoritive" because the CPS says 
it is.  (Or will, when approved.)

Which means the onus is on YOU GUYS to develop the Assurance 
Handbook to be a useful resource.  In part because the CPS 
says so, in part because the Auditor is wondering "how the 
hell did that happen," in part because modern security 
thinking prefers adroitness in the face of attacks, and in 
final part because you yourselves need a resource.

Over to you.

iang

PS:  to an extent the IETF-style consensus policy concept 
does not stress "approval" but rather, if it is common sense 
and it works ... follow it!  In the event of the document 
not being good enough, then (a) file a dispute, or (b) fix 
the doc.