Policy-Discussion

[Ian G <iang AT cacert.org>]

On 27/03/2010 16:48, Mario Lipinski wrote:
> Hi,
>
> I agree with Daniel. Community cannot limit the association in doing
> it's business. So this parts might even be void.

I'm afraid it is very Not Void :)

PoP limits the Association.  The Board of 2007 approved PoP.  Everyone 
at Pirmasens TOP was well aware that this was what was happening.  Then, 
the Policy Group and the Association ratified PoP, for expressly that 
purpose, to make sure that the limits of PoP over the Association and 
over the entire community stuck.

Further, the policies of the Community are policies of the Association 
(agm20100130.4.1), and especially the PoP.  Association Rules 1(1) and 
11.  https://wiki.cacert.org/AGM/RuleChange/OurDisputeResolution

The sole exception available to the Association is this in PoP:

   "4.6 During the period of DRAFT, CAcert Inc.
   retains a veto over policies that effect the
   running of CAcert Inc."

Which makes it very clear:  the policies are over CAcert Inc, and they 
limit the association.




It's probably better off thinking of the policy group as the designated 
subcommittee of the Association where such policies are formed.  E.g., 
agm20100130.4.1 can be seen in this light.  And, it is of course the 
point of all rule making and all policy making that they limit the 
people who the rules apply to.

Also, think of the humble Assurer.  When you the Assurer receive a court 
order to hand over your CAcert private keys, what do you do?

It's exactly the same problem.  In this case, the policies of CAcert 
make that a breach.  So you the Assurer must file dispute to get the 
Arbitrator's oversight to deal with the breach.

The Association is "just another person" in the community.  Like an 
Assurer.  The Association also desperately wants the protection of the 
Arbitrator so as to provide a considered ruling that allows it to hand 
over the data so requested.  Otherwise it is going to be sued when it 
responds foolishly quickly to a scary document.


> I also have my doubts concerning
>
> 9.3.2. Response to external (legal) inquiry
>
> If there is a legal inquiry to CAcert Inc. it is board business. Not of
> an arbitrator. Since the board members are legally responsible for
> managing the association during their election period.


All legal inquiries to the association are association business, just 
like legal inquiries to Assurers are Assurer-business.  But they are 
also Community Business.  As per above, this is subject to policy, and 
we've moved the due diligence necessary in dealing with external 
inquiries this to the "subcommittee" called the Arbitrator.

The same applies to any other member.  When an Assurer is sued at a 
booth for breaches of data protection, it goes to Arbitration.  The 
Arbitrator will protect the Assurer, and the other party.  The Assurer 
still has to deal with the responsibilities she has ... and they will be 
explained by the Arbitrator.

The Arbitrator doesn't take away those responsibilities.  The Arbitrator 
directs how you (the Association, the Assurer, the Member) will meet 
those responsibilities.  In so doing, the Association is protected, 
because it has take due steps in meeting the responsibilities.

Another way of thinking about it is that the Arbitrator is our internal 
counsel.  As an analogue.

iang



PS: note on spelling of inquiry v. enquiry.  As a /very obscure/ 
subtlety in english language, "enquiry" is informal, like asking a 
question.  "inquiry" is an official or formal form of enquiry.  However 
in the common use of the language, they are generally used without 
distinction, and many dictionaries these days don't know the difference. 
 Hence, the SP uses the correct term, inquiry, which makes it unusual 
and exotic.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature