Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

On Friday 26 March 2010 13:55:04 Ian G wrote:
> On the whole, I feel there hasn't been enough attention to this
> question, with only 3 votes.  Especially, none of the people & teams who
> are effected by SecurityPolicy have commented.
> 
> So I'll cast this wider and add the appropriate team lists for more
> comments.  Please make sure you CC votes or comments back to Policy
> list.  Apologies for multiple copies in advance!
> 
> Security Policy / critical teams, please comment:

The board also has significant responsibilities under the SP. Their comment 
would be good also.


As I mentioned here[1] I have some concerns over:

1. background check of board members

not because of my or any board member's background but because:
1.1 requiring a background check of the board is a decision for the CAcert 
Inc 
members not the policy group
1.2 the board doesn't access personal data or control critical systems. The 
exception of root control which is done as a team. The lack of control over 
personal data or critical systems means the ABC background check isn't 
needed. 
The arbitrators have more important cases than performing ABCs on board 
members with limited control over critical data.

2. outsourcing

The requirements here may conflict with our current contracts/arrangements.

I'm not sure of the difference between outsourcing and service acquisition 
and 
the SP requirements for acquisition of services on non-critical 
infrastructure 
may be too onerous.

For these reasons I've placed these two items on the next board agenda[2].

[1] https://lists.cacert.org/wws/arc/cacert-policy/2010-03/msg00078.html
[2] 
http://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100403


> On 23/03/2010 08:13, Ian G wrote:
> > We would need to make a bit of a
> > decision here as to which way we want to go.
> > 
> > 1. Keep SP in DRAFT for another period, and
> > re-work those BLUE sections.

I don't think the BLUE sections need rework BTW.

> > 2. Accept the BLUE, and go to POLICY.

I'm going to withdrawal my acceptance of this option #2 until after the above 
issues are addressed by the board.

-- 
Daniel Black
CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature