Policy-Discussion

[Philipp Gühring <pg AT futureware.at>]

Hi,

> I hate to bring up an old email post to the list, but:

It´s not old yet, it´s still valid.

> I’m wondering if anyone has more details on specifically what the
> management issue concerns. Is it a matter of not having enough people to
> fill the board? 

Yes, that´s one point.
Not enough one the one hand, and not active/responsive enough on the other 
hand.

> Insufficient individuals to manage key tasks? 

Yes, as you can see, due to a lack of people we have to concentrate on 
maintaining the security relevant parts, and sometimes don´t have enough 
capacities to care about other things like the mailinglist server.

> Insufficient/inadequate policy to ensure effective management?

Well, I would personally call it inssufficient buerocracy level to ensure 
"effective management" according to high buerocracy standards.

One of the hidden problems of the auditing concept is that instead of 
demanding a secure operation, it demands that a management is in place that 
controls the secure operation. (And it likely takes a long time and extreme 
examples like CAcert to find out why that concept is deeply flawed)
And I haven´t figured out yet, whether such a large-scale management is 
really 
helpful for security.
Has anyone found a proof yet that management (as such) has a positive impact 
on security?

I understand that buerocracy is actually a security-technology. 
(And "ID" and "management" being "products" in of the buerocracy-technology 
market.)
But like identity and other things, it´s more of a barrier than a real 
security solution, so relying on it as the primary security mechanism is a 
bad idea.

> Just trying to get a better idea of the process and concerns.

Thanks for your interest!

Best regards,
Philipp Gühring