Policy-Discussion

[Philipp Dunkel <p.dunkel AT cacert.org>]

Hi all,

I can live with that. If it is clear that the board as such has no actual 
access, but is simply in charge of controlling/managing access, then this is 
fine.

May I propose the following as the Road-Map we take:

* First we agree that due to the Boards Veto, the Security Policy in now a WIP
* Second we remedy Security Policy and move it back to DRAFT for a period of 
1 Month
* Third we Move the Security Policy to POLICY when that time expires.

Is there a rough consensus on this Road-Map?

Regards, Philipp

On Mar 31, 2010, at 22:56 , Daniel Black wrote:

> On Thursday 01 April 2010 07:43:54 Mark Lipscombe wrote:
>> On 4/1/2010 6:42 AM, Pieter van Emmerik wrote:
>>> Hi all,
>>> 
>>> As the board of CAcert consists of persons elected by members of CAcer
>>> association I do not think they should have the requirement of a
>>> background check except when they want to get access to critical systems
>>> or sensitive information.
>>> They form a political function and as such qualify because the have been
>>> elected by association members.
>>> Granting access to sensitive resources is not the same as having access
>>> to those resources.
>>> If board members want to have access to critical or sensitive data the
>>> of course the also have to be background checked.
>>> Granting access is more a administrative and/or political action.
>>> If in that process no access to critical systems or sensitive data is
>>> needed, a background check is unnecessary.
> 
>>> For comparison: in a company which handles secret information, the
>>> people handling that secret information will need to have a government
>>> issued security clearance, however the management that hires them do not
>>> necessarily need to have a security clearance as the do not access
>>> classified information themselves.
> 
> Same case for CAcert - arbitration does the assessment independently of the 
> board appointment of critical roles.
>> 
>> Pieter's message sums up my opinion also on the proposed change.
>> 
>> I would also add that the board has existing obligations to "do the
>> right thing" that exceed any penalties that may be meted out other
>> members of the community, including custodial penalties in the most
>> extreme circumstances.
>> 
>> Regards,
>> Mark
> 
> agree with both sentiments here. The appointment of people isn't a security 
> sensitive function.
> 
> -- 
> Daniel Black
> CAcert

Attachment: smime.p7s
Description: S/MIME cryptographic signature