Policy-Discussion

[Daniel Black <daniel AT cacert.org>]

On Saturday 27 March 2010 14:23:11 Ian G wrote:
> On 26/03/2010 15:10, Daniel Black wrote:
> > On Friday 26 March 2010 13:55:04 Ian G wrote:
> Good to see some attention on the SP!
> 
amazing how much attention you get trying to finalise something or remove 
something. Overall its good to see so few conflicts. Thanks for instigating 
the review.

> > The board also has significant responsibilities under the SP. Their
> > comment would be good also.
> > 
> > 
> > As I mentioned here[1] I have some concerns over:
> > 
> > 1. background check of board members
> > 
> > not because of my or any board member's background but because:
> > 1.1 requiring a background check of the board is a decision for the
> > CAcert Inc members not the policy group
> 
> If that were to follow, then the team leader for the critical team can
> also make that decision.

My logic is the policy group makes a set of policies to prepare the framework 
for the audit. The board already has a whole set of procedures and penalties 
in law (well the 2009 act) to ensure its actions are in the interest of the 
association.

> It the case that policy group wrote and approved a policy that directs
> or narrows board options.

narrowing options with respect to proving a good framework for an audit is a 
good thing.

> However that's what the policy group's job
> is.  Writes policies, to direct or narrow options across the Community.

 
> The question is, should the board escape the policies because it doesn't
> like them?

Its not that the board does or doesn't like them. The board deals with rules 
it does or doesn't like all the time. The issue is that 10-15 policy people 
approval isn't the same as getting a 75% agreement on a incorporation special 
resolution.

> Successive boards have agreed with PoP, and the PoP has been
> ratified by the Association, so the current situation is:  the policy
> group can write a policy that limits the board.

right. it can limit it for the purpose of audit. Its not a short cut path for 
doing a CAcert Inc special resolution. PoP gives board veto powers over draft 
policy exactly for this reason - to prevent decisions it wasn't meant to be 
making and, preventing to impacts it hasn't foreseen detriment of the 
organisation.

> > 1.2 the board doesn't access personal data or control critical systems.
> > The exception of root control which is done as a team. The lack of
> > control over personal data or critical systems means the ABC background
> > check isn't needed.
> 
> The issue here is that the board can demand things of its team leaders.
>   And the team leaders can be replaced.  By the Board.

Well some require background checks out of board control. Arbitrators also 
exercise a level of control over team leaders.

>   The fact that
> the Board might not do that right now is not really at issue;  what is
> at issue is that the critical team leaders work to the board as
> executive, and there is a clear control mechanism available.

Team leaders work to the board collectively rather than individually. If team 
leaders have a really really strong difference of opinion to their direction 
they can disclose this publicly or seek an arbitration over the board 
decision. These mechanisms of appeal are more useful than a background check.

> Another way of looking at this is to ask:  has a board director ever
> demanded access to stuff, or told the community that the board is above
> the community?  Yes, and that's what the last SGM was about.

There's many different opinions as to what it was about. I perceive it as a 
minor part. Other see it differently. It certainly isn't a definitive opinion.

One point i'm making here is the policy group isn't above the CAcert 
Incorporation rules to require a prerequisite for board election.

> > The arbitrators have more important cases than performing ABCs on board
> > members with limited control over critical data.
> > 
> > 2. outsourcing
> > 
> > The requirements here may conflict with our current
> > contracts/arrangements.
> 
> They may well do;  the job of the Board and Teams is to get them into
> alignment.

and to make sure things that are written are practical as well as looking 
good 
in digital print.

> > I'm not sure of the difference between outsourcing and service
> > acquisition and the SP requirements for acquisition of services on
> > non-critical infrastructure may be too onerous.
> 
> SP doesn't really cover non-critical.
> 

I was hoping so however statement like 'Team leaders may outsource non-
critical components on notifying the Board' and the list is prefix by 
"outsourcing arrangements." creates ambiguity.

-- 
Daniel Black
Vice President
CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature