Policy-Discussion

[Ian G <iang AT systemics.com>]

Jens Paul wrote:
> Hi!
>
> > Anyway, it is not "in effect".
> >
> >   
>
> And have been told to base my education material on this CPS (the one 
> one futureware) because it is "in effect", but many people out there 
> argue with me because they consider the CPS as "not in effect". So it's 
> pretty tough for me to decide which material I can use inside my 
> education material as "in effect" or "official" and which not. We tried 
> to come to a comman base by discussing the education presentation within 
> a group of people, but this process is very time consuming because in 
> many situations we have to start a discussion again ....


I understand.  So how to call this one ...

I have a certain amount of sympathy with those that point at 
the old CPS, because it is on the CAcert site.  But I should 
point out that it is not approved for audit purposes, and 
there are no plans to change that.  Basically, the problem 
is that the document cannot be "controlled" by CAcert, and 
therefore is ruled out by CCS rules.  I can't see a way 
around that, we went to battle on that issue and lost. 
(Bugger.  Move on.)

The newer one on futureware... well, that's what we are 
working to.

Which leads to the question of approval ... like the one on 
the cacert site, the futureware one is also unapproved.  The 
difference is that the earlier document is unlikely to ever 
be approved, and the futureware document is a WIP destined 
for approval.

Finally, while again I have a certain amount of sympathy 
with those who want a *fully approved document*, I should 
point out that just the other night I reviewed revision 19 
of the OpenPGP draft.  I first joined that working group in 
1997 .. a full decade ago .. and am still reviewing their 
first product 10 years later.

Everyone is using the OpenPGP RFC2440-bis document and it's 
not approved for usage.  Everyone sends OpenPGP messages 
around, and they all conform to a 10 year old unapproved

This is why the IETF-style "consensus" style also allows a 
certain amount of consensus-but-not-quite-approved working 
practices.

Does it suit the audit?  Hell, no.  We probably need a fully 
approved set of documents by the end of the audit.  But that 
is a long way away at the moment.


> So yes, I think one of the most important tasks to do is to clearly mark 
> which documents are "official" and "up to date" and which are not. Every 
> nw material is based on existing one, and if we rely on "bad" or 
> "outdated" informations we even produce more "bad" documents ...

I agree, on the one hand, no Assurer is likely to simply 
study the CPS over a quiet evening, it's just too long and 
dry.  So we need training and easier condensed materials ==> 
Assurance Handbook.

I also expect a certain amount of "bounce-back" to the CPS. 
 If you find problems, please write it up and send it back 
to Philipp.  Or ask for svn access to that repository and 
edit it yourself.  Or something.

iang