• PolicyDecisions

Decisions by Policy Group

According to Policy on Policy, Policy Group can make decisions concerning policies. This list tracks formal (voted) decisions made in most-recent-first order. See also Policy and DecisionNumbers.

p20200930 Minor changes at the CAcert Community Agreement

Etienne: Resolved,

• that the geographical references of CAcert Inc. which are not mandatory in terms of content are removed from the CAcert Community Agreement (while retaining all references to common law concerning the Community):

CCA COD09 CAcert Community Agreement

1. changes from p20141008 in section 0.1 Terms:
   • change from:

          "CAcert" means CAcert Inc., a non-profit Association of Members incorporated in New South Wales, Australia.

   • change to:

          "CAcert" means CAcert Inc., a non-profit Association of Members.

2. changes from p20141008 in section 3.1 Governing Law:
   • change from:

          This agreement is governed under the law of New South Wales, Australia, being the home of the CAcert Inc. Association.

   • change to:

          This agreement is governed under the law of New South Wales, Australia.

Motion p20200930. Consensus of 6:0 reached. Voting closed at 2020-10-18

• Vote opened 2020-09-30;be open until 2020-10-06

p20200923 Minor changes at Privacy Policy and the Root Distribution License

Etienne: Resolved,

• that the geographical references of CAcert Inc. which are not mandatory in terms of content are removed from the Privacy Policy and the RDL:

RDL COD14 Root Distribution License

1. changes from p20140731 in section 1 Terms:
   • change from:

          "CAcert Inc" means CAcert Incorporated, a non-profit association incorporated in New South Wales, Australia.

   • change to:

          "CAcert Inc" means CAcert Incorporated, a non-profit association.

PP COD05 Privacy Policy

1. changes from m20060629 in section 10 Legal mandates:
   • change from obsolete:

          If you need to contact us in writing, address your mail to:
             CAcert Inc.
             PO Box 66
             Oatley NSW 2223
             Australia

   • change to:

          If you need to contact us in writing, address your mail to the postal address of CAcert Inc. The current postal address of Cacert Inc. can be found on CAcert's web site.

Motion CARRIED. Consensus of 6:0 reached. Voting closed at 2020-09-30

• Vote opened 2020-09-23;be open until 2020-09-29

p20141008 CCA to POLICY

Eva: Resolved,

• that the CAcert Community Agreement goes to POLICY status.

Motion CARRIED. Consensus of 20:0 reached. Voting closed at 2014-10-15

• Vote opened 2014-10-08;be open until 2014-10-15

p20140731 Move 7 Policies and 4 Subsidary Policies from DRAFT to POLICY

Eva: Resolved,

• that the following policies are moved from DRAFT to POLICY status:

1. Policy on Policy ("PoP" => COD1)

2. Configuration-Control Specification ("CCS" => COD2)

3. Certification Practice Statement ("CPS" => COD6)

4. Dispute Resolution Policy ("DRP" => COD7)

5. Security Policy ("SP" => COD8)

6. Organisation Assurance Policy ("OAP" => COD11)

7. Root Distribution License ("RDL" => COD14)

8. Organisation Assurance Subsidary Policy - Germany (COD11.DE)
9. Organisation Assurance Subsidary Policy - Europe (COD11.EU)
10. Organisation Assurance Subsidary Policy - Australia (COD11.AU)

11. TTP-Assisted Assurance Policy ("TTP-Assist" => COD13.2)

The documents can be found: https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html

However at least the PoP is NOT posted correctly there. See also below where the policies went to draft.

Motion CARRIED. Rough consensus of 11:1 reached. Voting closed at 2014-08-14

Vote opened: 2014-07-31. Motion posted here open until: 2014-08-14

p20140709 CCA update to DRAFT

Eva: Resolved,

• that the CCA is updated as https://svn.cacert.org/CAcert/Policies/CAcertCommunityAgreement_20140708.html

A short overview of the changes: [will be added soon, probably 2014-07-10 evening UTC, but is also contained in above link]

Motion CARRIED. Consensus of 18:0 reached. Voting closed 2014-07-27.

• Vote opened 2014-07-09. Closes Sunday 2014-07-27.

p20140427 Eva for Policy Officer

Iang: Resolved,

• that Eva be confirmed as our Policy Officer, be empowered to represent us in annual reports, given our support in pushing completed decisions into the website, and any other minor administrative stuff that we don't want to do ourselves.

Motion CARRIED. Consensus of 11:0 reached. Voting closed 20140508.

• Voting opened 2014-04-27. Motion posted. Closes Sunday 2014-05-8.

p20130223 Several minor changes to PoP to DRAFT

Ulrich: Resolved,

that we update Policy on Policy (PoP) as proposed under https://svn.cacert.org/CAcert/Policies/PolicyOnPolicy.html (markers in blue) with the following changes:

1. to update the "old" style header to the "new" style header
   • change from:

          PoP                Iang
          POLICY p200800204.1                20080309
          COD1
                  Policy on Policy

   • change to:

          Name: PoP COD1
          Status: POLICY p200800204.1
          Editor: Iang 20080309                      [PoP Status - POLICY] x1)
          Changes: 20100507, 20130223                [PoP Status - DRAFT]  x1)
          Licence: CC-by-sa+DRP
     
             x1) as the POLICY and DRAFT pictures

2. changes from 20100507 in section 0
   • change from:

          0. Preliminaries
     
          Policy on Policy adopts the IETF model of 'rough consensus' to create
          CAcert documents within the open [cacert-policy] mail list forum.

   • change to:

          0. Preliminaries
     
          Policy on Policy adopts the IETF model of 'rough consensus' to create
          CAcert documents within the open CAcert Policy Group mail list forum.  x2)
     
          x2) "mail list forum" with a link to
            https://lists.cacert.org/wws/info/cacert-policy

3. changes from 20100507 in section 1.3
   • change from:

          1.3 The policies so created are generally binding on
              CAcert, registered users and related parties

   • change to:

          1.3 The policies so created are generally binding on
              CAcert Inc., members under CAcert Community Agreement (CCA => COD9)
              and other related parties under other agreements.

4. changes from 20100507 in section 1.4
   • change from:

          1.4 The Policy Officer manages all policies and the policy group.
          The policy group is formed on the open mailing list known as
          [cacert-policy], and is to be open to all Community Members of CAcert.

   • change to:

          1.4 The Policy Officer manages all policies and the policy group.
          The policy group is formed on the open mailing list known as
          CAcert Policy Group, and is to be open to all Community Members of CAcert.

5. section PoP 2.5 to add the minutea changes section, as known from p20100306 - minor changes to PoP
   • adding:

          2.5 Editors may make the following changes, where it is clear
              that the change does not change the policy:
     
               o fixes to errors in grammar and spelling,
               o anchors, HTML errors, URLs & formatting,
               o COD numbers and other references, and
               o other minutiae, as agreed under 2.3.
     
          Such changes to be notified to the policy group, and to be
          folded into effect, etc, without further ado.

6. proposed changes from 20100507 to section 2.5, now moves to 2.6
   • adding:

          2.6 Documents of lower status (work-in-progress or DRAFT)
              must not be confusable with documents of higher status
              (DRAFT or POLICY). Copies should be eliminated where
              not being worked on.

7. proposed changes from 20100507 from CCS work -and- recently identified subsection in CPS (9.16.1) (where should policies reside?) to move to PoP
   • adding:

          5.4 POLICY documents are published on the CAcert website
              in plain HTML. Change control must be in place.

8. point 6.5 to add "A record of decisions is to be maintained."
   • change from:

          6.5 Mailing lists should be archived, and important meetings
              should be minuted.

   • change to:

          6.5 Mailing lists should be archived, and important meetings
              should be minuted. A record of decisions is to be maintained.

Motion CARRIED. Consensus of 19:0 reached. Voting closed 20130309.

• Voting opened 2013-02-23. Motion posted. Open for 2 weeks until Friday March 8th, 2013 inclusive.

p20130222 PoJAM to POLICY

Ulrich: Resolved,

• We've now have 3 years of experience with our Policy On Junior Assurers and Members Assurance Subpolicy under DRAFT status

• No further updates or modification requests have been received assurance area.

• Therefore, RESOLVED to approve the Policy on Junior Assurers / Members, also known as PoJAM to POLICY status (under PoP), here:

• https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html

Motion CARRIED. Consensus of 21:0 reached. Voting closed 20130309.

• Voting opened 20130222. Motion posted. Open for 2 weeks until Friday March 8th, 2013 inclusive.

• Philipp double vote 2013-03-06, identical to first vote

• Alex double vote 2013-03-08, identical to first vote

• Brian double vote 2013-03-08, identical to first vote

p20130116 DRP - drop three references to Board's role in Appeal

Iang: Resolved,

that we delete the following 3 references to Board's role in appeal in Dispute Resolution Policy, having been superceded by the creation of an Arbitrators' forum of appeal in p20110108:

• 3.5 Liability, DELETE 11 words:

  • (by means of a new dispute causing referral to the Board).

  • Now Reads:
    • The above provisions may only be overridden by appeal process.
• 3.6 Remedies, DELETE 3 words:

  • by the Board ....

  • and as an addition proposed after voting started, REPLACE entire sentence:

    • ' Novel remedies outside the domain may be routinely confirmed by the Board by way of appeal process, in order to establish precedent.

  • Which Now Reads:

    • Remedies remain subject to appeal.

• 4.2 The Disadvantages of this Forum; DELETE 6 words:

  • and refer it to the board.

  • Now Reads:
    • Members may have their rights trampled over. In such a case, the community should strive to re-open the case.

Note that 3.6 has been improved on the fly. Voters can express their lack of consensus on the policy group. Following vote refers to entire package of changes, including the late addition.

• These changes are indicated in GREEN in the policy group's working copy.

• Voting opened 20130116. Motion posted. Open for 2 weeks.

Motion CARRIED. Voting closed 20130131.

p20121213 DRP - minor changes, excluding controversial issues

Bernd: Resolved,

• (1) that the minor changes to the Dispute Resolution Policy (DRP) be confirmed to DRAFT as shown in the Policy Group's current work-in-progress copy of the policy, with the exception of the subtractions of Board involvement in sections 3.5, 3.6 and 4.2 which are left untouched as in the official version of the DRP.

  • Edit: Noted that the changes in 3.5, 3.6 and 4.2 which are excluded from this vote are now reverted back to the original and only shown as comments in green in the work-in-progress document (which now corresponds exactly to the version to be confirmed to DRAFT by this motion).

  • Noted that the changes are listed briefly in the corresponding Policy Group post.

  • Noted further that these are only minor changes required to update the policy to the modern terms & practices in use in the Community and in other policies. All controversial issues recently discussed in the Policy Group are explicitly excluded from this vote and postponed to a later decision.

  • Noted, especially, that the changes recorded in 3.4 referring to the process of appeal are covered by the earlier decision p20110108.

• (2) This decision is open for voting for one week (from 20121213 to 20121220).

Brief description of the non-trivial changes:

• Everywhere (where the term was old and out of date):

  • user(s) => Member(s).

• Everywhere (ditto):

  • Registered User Agreement => CAcert Community Agreement

• Many places, where CAcert Inc as a party is indicated:

  • CAcert => CAcert Inc.

• 0. for CAcert => for the CAcert Community, consisting of CAcert Inc and Members who agree to the CCA.

• 1.5 Arbitrators are experienced Assurers of CAcert => Arbitrators are experienced Assurers.

• 2.2 / 4th

  • CPS => CCA

  • Non-Related Persons -- Disclaimer and Licence => Root Distribution License,

• 2.4 users of CAcert => Members

• 3.3 binding and final => ordinarily final and binding (this may or may not have been covered in p20110108)

• 2.6 (added seek)

• 3.6 CAcert => the Community

Voting opened 20121213. Motion posted. Blog.

Motion CARRIED. Consensus of 30:0. Voting closed 20121221.

• Counted Philipp's vote as it arrived on 20121221 before the voting was formally closed.

p20121113 DRP - minor clarifications to parties, etc

Iang: Resolved,

• (1) that minor changes to DRP be confirmed to DRAFT under p20100306 and be incorporated in any future revisions of the policy.

  • Noted that the changes are listed briefly in policy group post.

  • Noted also that changes are shown in the policy group's current & working copy of the policy; additions in BLUE, minor additions in steelblue, and deletions in overstrike purple.

  • Noted further that these are not material changes, and are required to update the policy to the modern terms & practices in use in the Community and in other policies.

  • Noted, especially, changes recorded in 3.4 referring to process of appeal are covered by earlier decision p20110108.

• (2) This decision is open for voting for one week.

• (3) Further Resolved that these changes, and the changes from p20110108 be in DRAFT for a period of one month, from the close of this decision, at which time it is presented for vote to POLICY.

Brief description of changes:

• Everywhere (where the term was old and out of date):

  • user(s) => Member(s).

• Everywhere (ditto):

  • Registered User Agreement => CAcert Community Agreement

• Many places, where CAcert Inc as a party is indicated:

  • CAcert => CAcert Inc.

• 0. for CAcert => for the CAcert Community, consisting of CAcert Inc and Members who agree to the CCA.

• 1.5 Arbitrators are experienced Assurers of CAcert => Arbitrators are experienced Assurers.

• 2.2 / 4th

  • CPS => CCA

  • these Non-Related Persons (NRPs) => they

  • Non-Related Persons -- Disclaimer and Licence => Root Distribution License,

  • NRP => and

• 2.4 users of CAcert => Members

• 3.3 binding and final => ordinarily final and binding (this may or may not have been covered in p20110108)

• 2.6 (added seek)

• 3.5 (by means of a new dispute causing referral to the Board). => (deleted for p20110108)

• 3.6

  • CAcert => the Community

  • by the Board => (deleted for p20110108)

• 4.2 and refer it to the board. => (deleted for p20110108)

Motion FAILED. Voting closed 20121120.

Voting opened 20121113. motion posted.

p20111113 CPS #7.1.2 "Certificate Extensions" adjustments

MichaelTänzer: Resolved,

• that the CPS section 7.1.2 is changed as stated on https://wiki.cacert.org/PolicyDrafts/CPSKeyUsageChanges

Motion CARRIED. Consensus of 24:0. Voting closed 20111128.

• Jason voted twice, both aye, so only one counts
• dirk voted twice, both aye, so only one counts

p20110108 DRP #3.4 Appeal handled by Arbitrators

Iang: Resolved,

• that DRP 3.4 be changed to state the following:

  • "3.4 Re-opening the Case or Appeal

  • In the event of clear injustices, egregious behaviour or unconscionable Rulings, a review may be requested by filing a dispute. The new Arbitrator reviews the new dispute, re-examines and reviews the entire case, then rules on whether the case may be re-opened or not.

  • If the Review Arbitrator rules the case be re-opened, then the Review Arbitrator refers the case to an Appeal Panel of 3. The Appeal Panel is led by a Senior Arbitrator, and is formed according to procedures established by the DRO from time to time. The Appeal Panel hears the case and delivers a final and binding Ruling."

• as shown in BLUE at our wip copy of the DRP.

Motion is CARRIED. Voting closed 20110126.

Voting opened 20110123. voting.

p20101009 Changes to CCA for RDL

Iang: Resolved,

• that we take to binding DRAFT the changes listed in our wip-copy of CCA, as shown in BLUE. These changes are primarily alignments with the new Root Distribution License, and some tidy-ups.

Motion is NOT carried. Voting closed 20101024. Requests to postpone from Uli and Nik are treated as NAYS. Motion posted.

p20100913 TTP Assisted Assurance Subpolicy

Ulrich: Resolved,

• that the TTP Assisted Assurance Subpolicy be approved to DRAFT.

• including the changes recorded in blue.

• This version is based on the new deployment version started back in December 2009 Hamburg-MiniTOP.

Motion CARRIED. Consensus of 24:0. Voting closed weekend 20100926.

p20100722 License our Policies under CC-BY-SA-3.0-AU

Iang: Resolved,

• That we request CAcert Inc (Board) to licence our policy work under "Creative Commons Attribution-Share-Alike" license, at least. The license short form is "CC-BY-SA", being the 3.0-AU variant.

See PolicyDrafts/DocumentLicence Alternative 2.

Motion CARRIED. Consensus of 6:1. Voting closed weekend 20100801. Request sent to board meeting 20100801. Board agrees!

p20100710 License root under Root Distribution License

Iang: Resolved,

• that the Root Distribution License be approved to DRAFT, and that it become the only way in which the Roots of CAcert can be distributed.

• Further, that Non-related Parties - Disclaimer and Licence be withdrawn entirely and immediately, fully effective on finalisation of this motion. The purpose of the NRP-DaL is entirely replaced by the RDL.

• Further *, that policy group move to modify the CCA to clarify that USE and OFFER include a standard for correct operation, and this will likely involve sharing of roots by OFFER of Members, and USE of roots by NRPs.

• Finally, that other proposals (CC-BY-ND and 3pv-DaL) be taken off the table. Policy group contributors and editors are thanked for thought-provoking comments and useful debate.

* 3rd paragraph added 20100716, mid-vote, with rough consensus.

Motion CARRIED. Consensus of 15:3. Voting closed weekend 20100724.

p20100627 License root under CC-BY-ND

Sascha Thomas Spreitzer: Resolved,

• The CACert root certificates are licensed under the "Creative Commons Attribution-No Derivative" license. The license short form is "CC-BY-ND".

Adverse comments seen from Kyle and Nathan, but no call.

NOT Carried. With 8 to 6 in favour, rough consensus is not established. Closed 20100710.

p20100624 CCA defining "CAcert Services"

Daniel: Resolved, {1},

• The following definition be appended to 0.1 Terms of the CCA

  16. "CAcert service" is a service related to the certificate issuing and assurance
  of CAcert members, run by CAcert, for the exclusive benefit of members.  Services
  provided by members to the community or CAcert which are sold, or made available
  to non-members, in a substantially similar form are not considered CAcert services.

NOT Carried.

p20100510 Security Policy to DRAFT

Iang: Resolved,

• that, Security Policy goes to DRAFT,

• including the changes recorded in blue.

Motion CARRIED. Voting closed weekend 20100606.

p20100426 CCS to DRAFT

Iang: Resolved,

• that, Configuration-Control Specification (CCS) goes to DRAFT

Motion is carried, 13 to 2. Closed 20100517.

p20100401 VETO takes a policy to WIP Document

Iang: Resolved,

• That, when a DRAFT policy is vetoed under PoP 4.6, the policy status is terminated and the document reverts to Work-In-Progress under PoP 3.

Motion is Carried, 14 to 2, on 20100411.

p20100327 Remove Board background checks from DRAFT Security Policy -- VACATED

Daniel Black: Identified that board background checks conflict with Association Rules

By rough consensus the issue of background checks of board members is resolved as follows: This purported decision does not reach the standards of Policy on Policy and and is vacated 20100330. If any further deliberations are required they should be done by a proper vote before policy group. Board should abstain. Elsewise, refer to dispute resolution procedures in PoP.

p20100326 Security Policy to remain in DRAFT

Iang: Resolved,

• According to PoP, a policy can only be in DRAFT for a year ... Security Policy reaches this milestone this Saturday, following p20090327.

• Now, there are some marked up suggestions in BLUE that have not been voted upon. These basically add an "Application Engineer" who is responsible for the application. We would need to make a bit of a decision here as to which way we want to go.

1. Keep SP in DRAFT for another period, and re-work those BLUE sections.

2. Accept the BLUE, and go to POLICY.

3. Discard the BLUE as not voted, and go to POLICY.

4. Or?

Vote closed 20100326. Security Policy remains in DRAFT.

p20100306 Policy Officer makes minor adjustments

Iang: Resolved,

• A Broken URL in a policy requires a change under the rules in PolicyOnPolicy. So policy group has to change it. It is actually a change that is needed in a lot of places. We could:

  1. read the policy, make the changes needed, vote it thru.

  2. vote a blanket decision that Policy Officer may change URLs to track any links that move in any existing policy.

  3. vote a blanket decision that Policy Officer may make the following changes, where it is clear that the change does not change the policy:

     1. URLs to track any links that move,

     2. grammatical errors,

     3. anchors, HTML errors & formatting,

     4. COD numbers and formatting

     5. other minutiae,

  4. make a formal change to Policy on Policy to incorporate the style of 3 or 2 above, as was proposed here.

Vote closed 20100306. Option 3 is carried with 8 Ayes. Policy Officer may make minor adjustments:

p20100120 Assurance Policy: require government ID

Alexander: Resolved,

• The current assurance policy is not clear enough about what is acceptable and what is not to verify a person's names.

• RESOLVED, that section 2.2 of the AP is to be amended with the following:

• "Except for different names due to marital status, and except for exclusion of middle names, the deviation from section 2.1 should be for technical reasons only."

Vote Aye if you want the AP to be clear about what is allowed and what is not, and specifically require a match with government issued ID.

Vote Nay if you prefer to leave this an open question and allow names which are not in government issued ID.

Not Carried.

• Note 1: there were arguments that not all countries issue government ID's for everyone and hence this proposal is discriminatory. There is discussion for a new proposal that would only handle those countries that do issue them, to at least be clear about those, for example a Europe subpolicy.
• Note 2: Some (Iang, Mario, Pieter, Faramir) have in my opinion showed arguments that they may be in favor of a new proposal, for Europe only.

p20100119 PoJAM to DRAFT

Ulrich: Resolved,

• We've discussed the PoJAM a lot in past. I call on Policy Group to bring back our Juniors:

• Therefore, RESOLVED to approve to DRAFT status (under PoP) the Policy on

Junior Assurers / Members, also known as PoJAM, here:

• https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html

Vote closed 20100130. The decision is carried with 14 Ayes, 2 Nays. PoJAM moves to DRAFT

• Morten Gulbrandsen voted twice, both Aye, last counts:

• 1st Date: Tue, 19 Jan 2010 20:37:11 +0100 https://lists.cacert.org/wws/arc/cacert-policy/2010-01/msg00100.html

• 2nd Date: Thu, 28 Jan 2010 01:08:24 +0100 https://lists.cacert.org/wws/arc/cacert-policy/2010-01/msg00151.html

• Aye votes: {1}, Alexander Prinsier, Morten Gulbrandsen x1), Dominik George, Ulrich Schroeter, Joost Steijlen, Ian Grigg, Tomáš Trnka, Bernhard Fröhlich, Faramir, Brian McCullough, Martin Gummi, Nathan Edward Tuggy, Raoul Xavier Boerlage

• Nay votes: || Hans Verbeek, Martin Schulze

p20100113 Stop issuing class3 certificates

Daniel: Resolved,

• Proposes that: CAcert stops issuing Class3 certificates

Voting closed on 20100119 due to new information m20100117.3. Not carried, NO consensus.

• Aye votes: Daniel Black Philipp Dunkel Guillaume Romagny, Pieter, Andreas

• "Middle" Abstentions: Dominik, Alexander

• Nay votes: Iang-reasons RaoulXavierBoerlage, Gero, Mario, Philipp G, Ted, Lambert, Tomáš Trnka, Faramir, Morten

p20091108 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets

Daniel: Resolved,

• The following modifications be made the DRAFT CPS, http://svn.cacert.org/CAcert/policy.htm, before it is copied as per p20091106:

In: 1.4.5. Roots and Names

the text ", IDN" is to be removed from the table.

Add after section 3.1.6 the following text:

3.1.7. International Domain Names

Certificates containing International Domain Names, being those containing a ACE prefix (RFC3490 Section 5), will only be issued to domains satisfying one or more of the following conditions:

• The Top Level Domain (TLD) Registrar associated with the domain has a policy that has taken measures to prevent two homographic domains being registered to different entities down to an accepted level.
• Domains contain only code points from a single unicode character script, excluding the "Common" script, with the additionally allowed numeric characters [0-9], and an ACSII hyphen '-'.

Email address containing International Domain Names in the domain portion of the email address will also be required to satisfy one of the above conditions.

The following is a list of accepted TLD Registrars:

(insert table from http://www.mozilla.org/projects/security/tld-idn-policy-list.html)

This criteria will apply to the email address and server host name fields for all certificate types.

The CAcert Inc. Board has the authority to decide to add or remove accepted TLD Registrars on this list.

In 3.2.2. Authentication of Individual Identity remove the portion of the table containing:

IDN  |  Can create International Domain Name (IDN) certificates

Carried. Vote closed 20091115 with consensus of 10 Ayes. Implemented!

p20091106 CPS to be placed on the main website

Iang: Resolved,

• The existing document under http://www.cacert.org/cps.php be removed.

• The DRAFT CPS located at http://svn.cacert.org/CAcert/policy.htm be copied onto the website location at http://www.cacert.org/policy/CertificationPracticeStatement.php (and be recopied from time to time at policy group's discretion).

• The URL at http://www.cacert.org/cps.php be permanently redirected to the final home of the CPS at http://www.cacert.org/policy/CertificationPracticeStatement.php

• This is a one-off to remove the confusing effect of the now-deprecated document at http://www.cacert.org/cps.php .

Carried. Vote closed 20091115 with consensus of 13 Ayes.

p20090706 CPS to DRAFT

Philipp: Resolved,

• Therefore I would like to motion that unless there is dissent by 1 week from now (2009-07-06) we consider that the CPS has passed into DRAFT status.

Vote closed 20090706 with consensus of 16 AYES.

• Votes for PD, Alejandro, Guillaume, Robert, Greg and Evaldo were assumed from from Board's m20090614.6

p20090327 Security Policy to DRAFT

Philipp: resolved,

• I am proposing this new Security Policy to pass it into DRAFT. The Policy WIP can be found at https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html

Within the Security Policy there are a lot of references to the Security Manual. If you want to have a look at the current state of that, you can find it at SecurityManual

Vote closed 20090327 with consensus of 11 Ayes.

p20090218.1 Add Danish SVR trade office registrar to the OA sub-policy Europe table of accepted trade office registrars

Teus: Resolved,

• Proposal has been acknowledged by three Danish Assurers. CAcert board and OA Assurance manager were involved to overview first Organisation Assurance.

p20090210.1 Add Belgian KBO trade office registrar to the OA sub-policy Europe table of accepted trade office registrars

Teus: Resolved,

• Proposal has been acknowledged by two Belgian Assurers. CAcert board and OA Assurance manager were involved to overview first Organisation Assurance.

p20090105.2 Assurance Policy status: POLICY

Philipp: Resolved,

• Proposal to accept Assurance Policy as POLICY has been voted on. Votes ended 24th of December 2008.

(AP is now on main website.)

p20090105.1 Methods to check Domain/Email Control and Ownership

Philipp: Resolved,

• Proposal to adapt in the Certificate Policy Statement (CPS) email/domain checks is accepted:

1. CAcert will check whether an individual has control of the email address requested for certificate inclusion within 24 hours a client certificate is requested and may check at any time thereafter.
2. In order to get a certificate issued by the *Community Member Subroot* the member must have been assured at least once and received at least one point. This ensures that the member has physically signed the CCA.
3. In order to have their Name included in a client certificate or have a certificate issued by the *Assured Community Member Subroot* the member has to have been assured to at least 50 points.
4. In order to have a server certificate issued by any subroot at least 2 of the following checks have to be completed successfully:
   1. E-Mail Ping sent to an administrative email address from WHOIS
   2. DNS Cookie
   3. HTTP Cookie
   4. Statement of at least 2 assurers about ownership/control of the domain name
   5. The RFC addresses.

Closing date for votes was 24th of December 2008. CARRIED.

• Philipp G abstained on point 4 only.

p20081016 All Information in Certificate is Verified

Teus: Resolved,

• To adopt the following principle as policy:

  • All information in the certificate is verified.

• Verification means one of the following:

1. Assurance, as per Assurance Programme and Assurance Policy (e.g. Name).
2. "Evaluation" as per Certification Practice Statement (e.g. domains, email address).
3. Control, as per Certification Practice Statement (e.g. serial numbers, etc.).
   • (The word "Evaluation" may be replaced at a later time by a term more suitable.)

• Carried. Closed with 10 for, none against.

p20080920 Organisation Assurance sub-policy for Europe voted to DRAFT

Teus: Resolved,

• Organisations registered with (CAcert) approved (and official) trade office registry can apply for CAcert Organisation Assurance. Countries with Approved Registry: Austria, Finland, France, Ireland, Netherlands, Sweden, United Kingdom, Norway.

Votes: consensus

• Comment: Appendix 2 with tables of not yet approved countries and registries is not part of the sub-policy and is for information only. Organisation Assurers handbook and Organisation Assurance wiki will have detailed information about regsitry company search, trade office extract costs, etc.

p20080917.1 Drop wildcards for unassured Members

Iang: Resolved,

• Wildcards are to be dropped as features available to unassured Members.

Carried. Votes: 7 Ayes. 2 Nays. 1 Abstained.

20100708: Iang Following request for review of thread by Philipp G, the text and subjectAltNames was dropped from decision (2nd and 3rd words).

p20080917.2 Expiry times on Certs

Iang: Resolved,

• Expiry times on certs to be limited to:
  • 6 months for unassured Members
  • 24 months for Assured Members

Votes: 5 Ayes.

Note, this motion originally included 12 months only for code-signing

• Votes: 4 Ayes. 1 Nay.

• Philipp G pointed out that there is currently no check on code-signing for a different expiry, so it is 24 months. Therefore, because it was misrepresented in debate as being the current situation, the above vote on 12 months only for code-signing should be treated as suspect and revisited in the future.

p20080712.1 Assurance Policy

Teus: Resolved,

• Proposal for Assurance Policy to move from WIP to DRAFT status.

Votes: 9 Ayes, 1 Nay, 4 Abstentions. It is not clear who the Abstentions were.

p20080429.1 Organisation Assurance Sub-Policy for Ireland

Teus: Resolved, that:

• Proposal to put Organisation Assurance WiP sub-policy for Ireland to DRAFT status.

Votes: 4 Ayes, no rejections or further comments.

p20080402.1 Organisation Assurance Sub-Policy for Australia

Teus: Resolved,

• Proposal to put Organisation Assurance WiP sub-policy for Australia to DRAFT status.

Votes: 3 Ayes, no rejections or further comments.

p20080401.1 Policy on Organisation Assurance

Teus: Resolved,

• Proposal to change the DRAFT OA policy with: OA Officer appointed by CAcert Board, OA Advisor (150 point Assurer) can become OA Assurer and OA Advisor can advise for organisation assurance when no OA Assurer is available.

Vote closed: only Ayes.

p20080401.2 Proposal to drop Date of Birth

Teus: Resolved,

• Should CAcert drop the DoB on the form, and in the archive?

Vote closed: 4 Ayes, 3 Nays. some not clear votes (Rasika): 1 Aye, 2 Nay

Conclusion: Not Carried. DoB is not dropped.

p20080308.1 Organisation Assurance sub-policy for Austria

Philipp G: Resolved, that:

• Proposal for Organisation Assurance sub-policy for Austria draft. Author: Philipp Gühring. Decided on the policy email list. The last version of the sub-policy.

Votes closed: Ayes: 2 from Austria, no rejects or comments.

p20080204.1 Policy On Policy

Iang: Resolved,

• Policy on Policy goes to POLICY status.

Carried. Vote called, closed.

p20080128.1 Assurers are individuals not organisations

Iang: Resolved,

1. Assurers are individuals, not organisations.
2. Organisation Assurers are individuals, too.
3. Organisation Assurance does not rely on web-of-trust, but instead relies on quality processes.

In the above, _individuals_ is synonymous with _natural persons_ and _organisations_ is synonymous with _legal persons_ being organisations that are legally separated from people.

Carried. Closed.

p20080109.1 CCA to POLICY status

Teus: Resolved,

• CAcert Community Agreement is now POLICY status.

This means that the DRAFT copy moves to the POLICY copy.

Carried. 5 Ayes, 0 Nays. called, last call, final call.

p20080106.1 Members

Iang: Resolved,

• To adopt the following naming of participants:

  • User	A person not registered with CAcert who accesses a CAcert protected website, etc.
    Community Member	A person who is registered with CAcert
    Association Member	A person who is a member of CAcert Inc.

• (9 Ayes, 0 Nays, 1 Abstention?)

  • called, closed

• This vote was also notified to board, and no response seen.

• Community Member may be written in short as Member and is implied.

• Association Member should be written in full. The Association may choose another term at their discretion.

p20080104.1 Contributions

Teus: Resolved,

• Change PoP Contributions clause to:

  • 6.2 Contributions to formally controlled documents such as Policies are transferred fully to CAcert Inc. Copyrights and similar intellectual property rights required to incorporate the Contribution are either transferred to CAcert Inc, or, are issued and contributed under free, open, non-restrictive, irrevocable, exclusive, and clear licence to CAcert Inc. In all cases, CAcert Inc licenses the contributions back to the community under an open licence.

(5 Ayes, 0 Nays)

Carried. started, last call.

p20071217.1 Multiple Names

Teus: Resolved,

• Multiple names are permitted and need to be assured per name.

Commentary. This means that the accounts and Assurance process should be adjusted to cope with multiple names. Assurance Policy suggests 50 points for each name.

This vote was called but also declared as consensus: 1, 2. The vote was not properly documented in mail archives, therefore would not be called a voted decision.

p20071107.1 Privacy

Jens Paul: Resolved, that:

• Change CCA Privacy clause to:

1.4  Privacy

You give rights to CAcert to store, verify and process and publish your data in accordance with policies in force. These rights include shipping the data to foreign countries for system administration, support and processing purposes. Such shipping will only be done among CAcert Community administrators and Assurers.

Privacy is further covered in the Privacy Policy (PP => COD 5).

Carried. Ayes: 3. started (actually, it was started in Advisory meeting and this post carried it into Policy Group, from memory, iang), closed.

p20071207.1 Organisation Assurance sub-policy for the Netherlands

Teus: Resolved,

• the Netherlands sub-policy for Organisation Assurance to DRAFT. Author: Teus Hagen.

called. Decided on policy email list by consensus, no votes seen. The last version of the sub-policy.

p20071022 Organisation Assurance sub-policy for Germany

Teus: Resolved,

• Germany sub-policy for Organisation Assurance to DRAFT. Author: Jens Paul.

Carried. called and closed.

Added retrospectively from mail archives 20100610. This decision was redone from one improperly recorded in TOP.

---

Some reminders of policy decision taken by other means

p20070918.1 Policy on Organisation Assurance

Jens Paul: Resolved,

• Proposal for first Organisation Assurance Policy draft.

Decided upon by decision of CAcert TOP meeting September 2007: m20070918.x.

p-XXX-20070918.2 Organisation Assurance sub-policy for Germany

Jens Paul: Resolved,

• Proposal for first Organisation Assurance sub-policy draft for Germany.

Decision made in CAcert TOP meeting Septmber 2007, m20070918.y but unrecorded. Re-done on policy group, 22nd of October 2007 on Policy email list as decision #p20071022 above.

deprecate this section.

m20060629 Privacy Policy (PP) (COD5)

Info out of https://svn.cacert.org/CAcert/Policies/ControlledDocumentList.html

---

• CategoryAudit

• CategoryPolicy

• CategoryDecisions