Policy-Discussion

[Ian G <iang AT iang.org>]

On 29/03/2010 08:16, Mark Lipscombe wrote:
> On 3/28/2010 4:36 PM, Ian G wrote:
> > So which is it? Either PoP applies to the Association or it doesn't.
> > You have just proposed a vote under PoP. By passing a veto motion under
> > PoP you have confirmed that PoP stands, and it effects the Association.
>
> I'm not sure it's reasonable to draw such an absolute line.
>
> I think we have quite some consensus, at least by way of informal
> agreement at the 2007 AGM, that the association accepts the PoP.


Thank you!


> However, conflicting with that is the fact that to alter the rules of
> the association, which are the *only legal rules* of the association,
> requires a special resolution in the proper form.
>
> So, I would say that whilst the association accepts the Policy on
> Policy, it must do so with the reservation that to the extent that it
> purports to alter the rules of the association, it is not valid. To do
> otherwise would be an improper de facto alteration to the rules, which,
> itself, would violate the rules of the association.


(When PoP was passed, the board of the time was completely aware of the 
issue you speak of;  it was they who inserted the clause, not the policy 
group's representatives there.  Indeed, they read every line of every 
policy, out loud, before approval.  They were very conscious of the issues.)

(just in case someone is wondering how the board managed to insert their 
clause in there like that ... before PoP, all policies were approved by 
the Board.  Of course.  After PoP, not.  PoP was the thing that 
bootstrapped, and their last chance for a selective change.  It could be 
said that PoP cost us 13,000 euros, but was worth every phennig.)



> In this case, I think the board has done the right thing by selectively
> vetoing the item in the security policy which purports to alter the
> association's rules.


Bingo.  Now this begins to make some sense.  You think there might be a 
SELECTIVE veto?  No, sorry, there is no such.  The Association does not 
have a selective veto, it only has the veto over the entire policy.


> It could never reasonably conform to that rule and
> still operate within its own rules.
>
> I think it would be disingenuous to argue that PoP 4.6 is some kind of
> "nuclear" option that vetoes the entire policy regardless of our
> specific decision.


Disingenuous or not, the words say:

      "4.6 During the period of DRAFT, CAcert Inc.
      retains a veto over policies that effect the
      running of CAcert Inc."

It very clearly gives full veto and no more.  Although, I think I can 
accept that it is an easy mistake to make.

Clearly it would be nice for the board to have a selective veto.  So it 
could just chop & change the bits it didn't like.

Of course, it would never work.  The reason that there is no selective 
veto is because we want the policy group to work the policies; 
selectively slicing & dicing will result in the inevitable hand over of 
everything, so, end of policy group.

(Members of the board are encouraged to participate before hand ... PoP 
is of course not rejecting the ability of the board members to influence 
the process.)


> The PoP does not specify this, there is seemingly no
> history to back up this assertion, nor could I find any discussions in
> the mailing list archives concerning it.


I think it is blindingly obvious why there is no prior discussion of it. 
 It's such a simple clause, it screams out "don't do that!"

And, to be fair & complete, it sends the same message, in reverse, to 
policy group :)


> In another email, Ulrich makes what is probably the most useful point of
> this discussion so far -- background checks should be based on actual
> access to information or things materially significant to the CA. No
> current board member holds any part of the root key or passphrase --
> should that change, those board members who do hold it should be subject
> to a background check. It should, however, not be because they are a
> board members, but because they are a key holder.


Indeed, that is something that could and should be debated over at 
Policy Group, under that thread.


> The CAcert, Inc. board has different protections than other roles within
> the community. Protections such as separately enforceable legal
> obligations to declare interests and to not act in an improper way or a
> way which is detrimental to the association. These provisions in the
> Associations Incorporations Act, the Corporations Act and common law
> have far more bite than any obligation that any other member of the
> community is under.


It is also worth pointing out -- for that debate -- that the provisions 
of the new 2009 Associations Act were revealed substantially after 
Security Policy was written and placed into DRAFT.  The presence of the 
new requirements on CoIs might help in the discussion.

Another thing that would be worth pointing out is that the Board has an 
action point to discuss and figure out its CoI position, following on 
from the failed special resolutions of the last AGM.  That action point 
has been delayed in the past.


> In light of that, to make out that we're playing fast and lose with
> information or assets is a strawman.
>
> Unlike other roles which do require a background check, the board
> operates on the 14 + N eyes principle, where 14 is the number of eyes of
> board members, and N is the number of eyes in the community watching our
> deliberations and decisions. It takes 4 board members in agreement to
> act "as the board", and you, as association members have multiple ways
> to bring us to account for any decision, even one you simply don't agree
> with, let alone if there is an allegation of malfeasance.


Another good point for the debate on Policy Group.

(rest of mail, I feel best left for another day.)

iang