Policy-Discussion

[Benedikt Heintel <benedikt AT cacert.org>]

Dear Group,

good you are starting this discussion, it is necessary after what
happened lately. However, I disagree in getting a motion from PolG here.

I support Ian's proposal to set up a System under a sub-domain of c.o to
publish the policies (not a big deal though, will be created within hours).

I prefer to have a repository, keeping all versions of a policy and
being able to display them as HTML, PDF and other document formats.
We might also be able to work collaborative on a new draft within this
repository.

This solves only the publishing part. How about the information part?
There should be an easy form to inform the members. The mass mail could
be provided via an interface, where the PolO is allowed to write the
text in an a second instance of CAcert approves it. Who would be
eligible to approve? This could be an Arbitrator, an Auditor, or someone
else with authority. If the approval is not given within 24 or 48 hours
the request is escalated to another authority.

All actions should be logged and the audit trail reviewed regularly.
A process should be designed and voted here in PolG.

Best Regards,
Benedikt

Am 18.01.2015 um 21:15 schrieb Ian G:
> So, the rules of the game are starting to wear thin.
> 
> The answer then is to change the game.  It's long been suggested that
> Policy should be on its own website.  It's not critical, it's not
> software, it doesn't need assessment or review or multiple teams
> coordinating its post on a ... website.
> 
> I'd suggest you put your energy into getting that website up. Pick a
> domain like cod.cacert.org.  Or pop or pol or whatever. Then get it up
> and going in the VMs on the non-crit servers.  Find a sysadm to manage
> it.  Scp the ready policys by hand, it's only a single command.
> 
> The usage of software as a control over policy was an accident of the
> past.  Don't fight it ... fix it :)
> 
> iang
> 
> 
> On 18/01/2015 20:57 pm, Eva Stöwe wrote:
>> Hello,
>>
>>>> Resolved,
>>>> that the editor of a policy or the Policy Officer may ask other
>>>> teams to
>>>> do needed actions to add, exchange or remove policy documents on
>>>> CAcerts
>>>> website as long as the policy documents meet the requirements of the
>>>> PoP
>>>> (COD 1), afterwars. This includes any steps to inform CAcert members
>>>> about such changes, if needed.
>>> OK, Aye, but under protest.  I believe this to be a no-op because once a
>>> policy motion has been passed, the other teams therefore have the
>>> authority to act.
>> They surely have the authority to do things. But if they do not do it by
>> their own, who may ask them to do it? That is the question that is not
>> decided. (Well ok, I have a motion to do the tedious stuff as PolO for
>> PolG - p20140427, but I get told that I may not ask for such activities,
>> anyway.)
>>
>> This is NOT a theoretical question. Until I started to push this issue,
>> the policies were not replaced on the website by updates for over two
>> years, even as there were according bugs in the bug tracker.
>>
>> And at the moment I also get told that I have no right to ask the teams
>> to do something that the CCA requires us to do. I would not mind if they
>> would do it on their own, but
>>
>> As PolO I have to manage the policies according to PoP. It also demands
>> that we take care that correct versions of the policies are not confused
>> with old ones (as was the case with the CCA on the webiste). The above
>> policy motion tells me to take care about those tedious things for PolG.
>>
>> So I am responsible that those things get done. - But at the same time I
>> may not ask the teams to get them done (and I cannot do them on my own).
>>
>> If the software team is correct with that interpretation of the policies
>> I have to take the burden of the responsibility but I may not address
>> them or critical team with any needed activities - activities our
>> policies ask for. I just have to wait and hope that they will discover
>> the need to do something on their own.
>>
>> (Or, I have to go through Arbitration for any such change. While
>> Arbitration struggles to keep up with the cases they have, anyway.)
>>
>> That just does not make a lot of sense to me.
>>
> 

-- 
Benedikt Heintel - 
benedikt AT cacert.org
CAcert Assurer for People & Organizations
CAcert internal Auditor

CAcert.org - Secure Together
http://www.cacert.org

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature