Skip to Content.
Sympa Menu

cacert-sysadm - Re: [Cacert-sysadm] [CAcert-Policy] email account policy within CAcert organisation

cacert-sysadm AT lists.cacert.org

Subject: CAcert System Admins discussion list

List archive

Re: [Cacert-sysadm] [CAcert-Policy] email account policy within CAcert organisation


Chronological Thread 
  • From: "Sam Johnston" <samj AT samj.net>
  • To: Policy-Discussion <cacert-policy AT lists.cacert.org>
  • Cc: CAcert System Administrators <cacert-sysadm AT lists.cacert.org>
  • Subject: Re: [Cacert-sysadm] [CAcert-Policy] email account policy within CAcert organisation
  • Date: Wed, 16 Apr 2008 17:51:18 +0200
  • List-archive: <http://lists.cacert.org/pipermail/cacert-sysadm>
  • List-id: CAcert System Admins discussion list <cacert-sysadm.lists.cacert.org>

Teus,

I've made an attempt to both expand the scope to cover all CAcert communications (personal emails, press releases, IRC, etc.) and tighten this up into an enforceable policy (eg by using RFC2119 requirement levels) at http://svn.cacert.org/CAcert/Policies/CAcertCommunicationPolicy.html

It's mostly a reflection of current practices, incorporating the points in your wiki doc, focusing CAcert functional needs while leaving implementation details to the sysadmins. The most material change is that I haven't referenced @community.cacert.org addresses (simply because there is little difference between these and @cacert.org addresses, except reference to the org chart).

I've also touched on the concept of an acceptable usage policy which could be fleshed out separately and applied universally (eg to machine usage, etc.) ala DMUP.

Kind regards,

Sam

CAcert Communication Policy (CCP)

Author: Sam Johnston
Creation date: 2008-04-16
Status: WIP 2008-04-16
Next status: DRAFT 2008-04-XX

0. Preliminaries

This CAcert policy describes how CAcert communicates as required for achieving its mission.

1. Scope

This policy is applicable to:

  1. Press Releases
  2. Internet Email

2. Requirements

This section describes all CAcert communication channels.

  1. Press Releases
    1. Press releases MUST be approved by the board and issued via:
      1. Digitally signed email to appropriate mailing list(s) by the president.
      2. Posting and indefinite archiving on the official CAcert web site(s)
  2. Internet Email
    1. Email Accounts are official email accounts within the CAcert domain(s) (eg john AT cacert.org).
      1. All official CAcert communications MUST be conducted using an official address.
      2. All new accounts MUST be approved by the M-SC who SHOULD act conservatively.
      3. Applicants MUST be assigned a role/office on the CAcert organisation chart.
      4. Role accounts (eg support AT cacert.org) SHALL be implemented as a mailing list or automated issue tracking system as appropriate.
      5. All access SHALL be via POP, IMAP, HTTP and SMTP and MUST be authenticated.
      6. Outbound mail SHOULD contain the full name and short reference to the official capacity of the user (eg John Citizen (CAcert AO) <john AT cacert.org>).
      7. Outbound mail MUST be relayed via CAcert infrastructure (eg smtp.cacert.org).
    2. Mailing Lists are distribution lists containing CAcert community members.
      1. All new mailing lists MUST be approved by the M-SC who SHOULD act conservatively (regional lists are discouraged).
      2. List membership SHALL be restricted to CAcert Community members who are subject to the CCA (to be reflected in list info) and all posts are contributions.
      3. Lists SHALL follow the naming convention of cacert-<listname>@lists.cacert.org, with important lists (eg support, board) aliased @cacert.org
      4. List policy SHALL be set on a per-list basis (eg open/closed, searchable archives, etc.)
        1. Open lists (eg cacert-policy) shall be accessible by anyone (including Internet search engines)
        2. Closed lists (eg cacert-board) shall be accessible only by list members.
        3. Subscriber lists MUST NOT be revealed, even to list members.
        4. Posting to discussion lists (eg cacert-policy) MUST be restricted to list members and MUST NOT be restricted for role lists (eg cacert-board).
        5. Messages which do not meet list policy (eg size, non-member) MUST be immediately rejected.
      5. List management MUST be automated (eg Mailman).
      6. Subscription requests MUST be confirmed by the requestor.
      7. Web based archives MUST be maintained and accessible over HTTP and HTTPS.
      8. All authentication and authorisation MUST reflect list policy.
    3. Automated Email is sent by various CAcert systems automatically.
      1. All new automated emails MUST be approved by the M-SC.
      2. Automated emails SHOULD only be sent in response to a user action.
    4. Personal Email is individual personal addresses of CAcert Community members (eg john AT gmail.com).
      1. Personal email MUST NOT be used for official CAcert purposes.
      2. Personal email MAY be used for unofficial tasks (eg assurers coordinating assurances)
      3. In the event that email accounts are made available to all community members these MUST be used, and personal email MUST NOT be used at all.

3. Implementation

This section describes how CAcert communication channels are to be implemented.

  1. General
    1. CAcert System Administrators SHALL have discretion as to the technical implementation of this policy and SHALL report status to the board periodically.
  2. Security
    1. Authentication (where required) MUST be done via username and password and/or CAcert certificate.
    2. Transport encryption MUST be used where possible.
    3. Content encryption MAY be used where appropriate.
    4. All outbound mail SHOULD be digitally signed.
  3. Internet Email
    1. All mails MUST be securely archived for a period of 10 years.
    2. All mails MUST be subject to appropriate spam prevention mechanisms (eg SpamAssassin, greylisting).
    3. All mails MUST be subject to appropriate virus and content filtering (eg ClamAV, content types).

4. Acceptable Usage Policy

CAcert infrastrucutre is for official, lawful, non-commercial, non-abusive CAcert use only.


On Tue, Apr 15, 2008 at 5:55 PM, Teus Hagen <teus AT theunis.org> wrote:
Thye Management Sub-Committee has had some discussions after there was
some discussion on email accounts management within the CAcert
organisation. There is now a draft of this policy which can be found
here: http://wiki.cacert.org/wiki/EmailAccountPolicy

The document is still in draft, and we try now to get some feed back of
this discussion list in order to see if this suits the needs. Thereafter
M-SC will send this policy for final decision to the CAcert board. This
as CAcert association will be the final responsible body for this.

Please try to avoid discussion on discussion so we can get the decision
done in time.

teus
cc: to support and email system admin.
_______________________________________________
Have you passed the Assurer Challenge yet?
http://wiki.cacert.org/wiki/AssurerChallenge

CAcert-Policy mailing list
CAcert-Policy AT lists.cacert.org
https://lists.cacert.org/cgi-bin/mailman/listinfo/cacert-policy




Archive powered by MHonArc 2.6.16.

Top of Page