Policy-Discussion

[Ian G <iang AT cacert.org>]

On 26/03/2010 15:10, Daniel Black wrote:
> On Friday 26 March 2010 13:55:04 Ian G wrote:


Good to see some attention on the SP!

> The board also has significant responsibilities under the SP. Their comment
> would be good also.
>
>
> As I mentioned here[1] I have some concerns over:
>
> 1. background check of board members
>
> not because of my or any board member's background but because:
> 1.1 requiring a background check of the board is a decision for the CAcert Inc
> members not the policy group


If that were to follow, then the team leader for the critical team can 
also make that decision.

It the case that policy group wrote and approved a policy that directs 
or narrows board options.  However that's what the policy group's job 
is.  Writes policies, to direct or narrow options across the Community.

The question is, should the board escape the policies because it doesn't 
like them?  Successive boards have agreed with PoP, and the PoP has been 
ratified by the Association, so the current situation is:  the policy 
group can write a policy that limits the board.


> 1.2 the board doesn't access personal data or control critical systems. The
> exception of root control which is done as a team. The lack of control over
> personal data or critical systems means the ABC background check isn't needed.


The issue here is that the board can demand things of its team leaders. 
 And the team leaders can be replaced.  By the Board.  The fact that 
the Board might not do that right now is not really at issue;  what is 
at issue is that the critical team leaders work to the board as 
executive, and there is a clear control mechanism available.

Another way of looking at this is to ask:  has a board director ever 
demanded access to stuff, or told the community that the board is above 
the community?  Yes, and that's what the last SGM was about.


> The arbitrators have more important cases than performing ABCs on board
> members with limited control over critical data.
>
> 2. outsourcing
>
> The requirements here may conflict with our current contracts/arrangements.


They may well do;  the job of the Board and Teams is to get them into 
alignment.


> I'm not sure of the difference between outsourcing and service acquisition and
> the SP requirements for acquisition of services on non-critical infrastructure
> may be too onerous.


SP doesn't really cover non-critical.

> For these reasons I've placed these two items on the next board agenda[2].


OK!

> [1] https://lists.cacert.org/wws/arc/cacert-policy/2010-03/msg00078.html
> [2]
> http://wiki.cacert.org/Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100403



iang

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature