CAcert Communication Policy (CCP)

Author: Sam Johnston
Creation date: 2008-04-16
Status: WIP 2008-04-16
Next status: DRAFT 2008-04-XX

0. Preliminaries

This CAcert policy describes how CAcert communicates as required for achieving its mission.

1. Scope

This policy is applicable to:

1. Press Releases
2. Internet Email
3. Internet Relay Chat (IRC)

2. Requirements

This section describes all CAcert communication channels.

1. Press Releases
   
   1. Press releases MUST be approved by the board and issued via:
      
      1. Digitally signed email to appropriate mailing list(s) by the president.
      2. Posting and indefinite archiving on the official CAcert web site(s)
2. Internet Email
   
   1. Email Accounts are official email accounts within the CAcert domain(s) (eg john@cacert.org).
      
      1. All official CAcert communications MUST be conducted using an official address.
      2. All new accounts MUST be approved by the M-SC (who SHOULD act conservatively on behalf of the board).
      3. Applicants MUST be assigned a role/office on the CAcert organisation chart.
      4. Role accounts (eg support@cacert.org) SHALL be implemented as a mailing list or automated issue tracking system as appropriate.
      5. All access SHALL be via POP, IMAP, HTTP and SMTP and MUST be authenticated.
      6. Outbound mail SHOULD contain the full name and short reference to the official capacity of the user (eg John Citizen (CAcert AO) <john@cacert.org>).
      7. Outbound mail MUST be relayed via CAcert infrastructure (eg smtp.cacert.org).
   2. Mailing Lists are distribution lists containing CAcert community members.
      
      1. All new mailing lists MUST be approved by the M-SC (who SHOULD act conservatively on behalf of the board).
      2. All 'dead' mailing lists SHOULD be removed by the M-SC (on behalf of the board).
      3. List membership SHALL be restricted to CAcert Community members who are subject to the CCA (to be reflected in list info) and all posts are contributions.
      4. Lists SHALL follow the naming convention of cacert-<listname>@lists.cacert.org, with important lists (eg support, board) aliased @cacert.org
      5. List policy SHALL be set on a per-list basis (eg open/closed, searchable archives, etc.)
         
         1. Open lists (eg cacert-policy) shall be accessible by anyone (including Internet search engines)
         2. Closed lists (eg cacert-board) shall be accessible only by list members.
         3. Subscriber lists MUST NOT be revealed, even to list members.
         4. Posting to discussion lists (eg cacert-policy) MUST be restricted to list members and MUST NOT be restricted for role lists (eg cacert-board).
         5. Messages which do not meet list policy (eg size, non-member) MUST be immediately rejected.
      6. List management MUST be automated (eg Mailman).
      7. Subscription requests MUST be confirmed by the requestor.
      8. Web based archives MUST be maintained and accessible over HTTP and HTTPS.
      9. All authentication and authorisation MUST reflect list policy.
   3. Automated Email is sent by various CAcert systems automatically.
      
      1. All new automated emails MUST be approved by the M-SC (who SHOULD act conservatively on behalf of the board).
      2. Automated emails SHOULD only be sent in response to a user action.
   4. Personal Email is individual personal addresses of CAcert Community members (eg john@gmail.com).
      
      1. Personal email MUST NOT be used for official CAcert purposes.
      2. Personal email MAY be used for unofficial tasks (eg assurers coordinating assurances)
      3. In the event that email accounts are made available to all community members these MUST be used, and personal email MUST NOT be used at all.
3. Internet Relay Chat (IRC)
   
   1. An IRC service SHALL be maintained at irc.cacert.org which SHALL be available via SSL.

3. Implementation

This section describes how CAcert communication channels are to be implemented.

1. General
   
   1. CAcert System Administrators SHALL have discretion as to the technical implementation of this policy and SHALL report status to the board periodically.
2. Security
   
   1. Authentication (where required) MUST be done via username and password and/or CAcert certificate.
   2. Transport encryption MUST be used where possible.
   3. Content encryption MAY be used where appropriate.
   4. All outbound mail SHOULD be digitally signed.
3. Internet Email
   
   1. All mails MUST be securely archived for a period of 10 years.
   2. All mails MUST be subject to appropriate spam prevention mechanisms (eg SpamAssassin, greylisting).
   3. All mails MUST be subject to appropriate virus and content filtering (eg ClamAV, content types).

4. Acceptable Usage Policy

CAcert infrastrucutre is for official, lawful, non-commercial, non-abusive CAcert use only.