-1. To Fix

W I P . . W I P . . W I P . . W I P . . W I P

Foundations Policy

0. Preamble

Foundations and Associations are now a strong part of CAcert's community. In part this is because the Dutch have set up a great Foundation, Oophaga, and a German Foundation named Secure-U is in the process of being set up for the support in Germany (CeBIT, etc). As time goes on, we'll get more and more questions on how to do this process.

Let's start a policy on Foundations. Here is a WIP policy, to get people thinking:


In this policy, we refer equally to Associations, Foundations, Vereins (German), Stichtings (Dutch), and other legal forms found around the world. For simplicity only the term Foundation is used in this document.

1. Principles

Foundations are a good mechanism to provide local support to CAcert activities. As a policy, the CAcert community encourages well-governed Foundations to be created and to take up local responsibilities.

  1. Foundations may accept and manage local donations, etc.
  2. Foundations may organise events.
  3. Foundations may provide budget for organised activities.

Limits on the Foundation.

  1. The Foundation should be non-profit, non-commercial, non-competitive. This needs to be measured against what is possible in local laws.
  2. The Foundation must use a Mission and/or Purpose that is written into their Charter that limits their purpose and responsibility.
  3. The Membership Register must be open to scrutiny to the community.
  4. The Financial Report must be open to scrutiny to the community.

Mission of the Foundation.

The Mission / Purpose should be controlled:

  1. Should be announced and comments accepted.
  2. should support the CAcert community.
  3. can only refer to CAcert if CAcert Inc agrees.
  4. should be approved by policy group.
  5. should not be changeable. If changeable, a community process must be adopted.


... The "limitation of their purpose" has to be fortified. If we accept for example a german "Verein" with a very small membership base, these limitations can be easily changed by a member decission and therfore the way for a missuse of the money is prepared. So this limitation should be "fortified" and controlled carefully. I like (5), but can we - by legal terms - limit the change to a community process outside that foundation? If it is only inside, we need a broad member base ...

disagreement with your idea that the local foundations should be bound on the mission instead of being bound to CAcert. F.e. if the mission is "free certificates" then the local foundations could decide to spend the money to a free PGP project instead of CAcert for example. While it is fine for foundations to support many projects, if we create our own foundations we should make sure that they support CAcert.

Creating a foundation with the goal of supporting projects who issue free certificates is completly different then creating a foundation with the goal to support the CAcert project.

CAcert's mission itself is not defined. Is it "free certs" ? Is it "any free certs" or is it special "free certs?" We need to define free certs.

ISOC suggests: "2. Purpose of Chapters Chapters of the Internet Society are expected to serve the interests of a segment of the global Internet community in a manner consistent with the mission and principles of the Internet Society. Through a presence local to its community of interest, a Chapter focuses on issues and developments important to its community. A Chapter recognizes, honours, and uses the culture, customs, and language of its community. Every Chapter shall have an explicit statement of purpose.

Legal Independence

The Foundation should be legally independent from others, including CAcert Inc.

  1. The Foundation must not use "CAcert" in the name.
  2. The Foundation and its members must not represent themselves as being CAcert or CAcert Inc or even being "part of CAcert Inc".
  3. The Foundation may represent itself as "part of the CAcert community."

Comment: Representing is difficult ... too much hierarchy. There is a mutual thing with CAcert and others. E.g. a set of foundations/associations with a common goal, each with it's sub area to take care of, each supporting the other.

Right know we talk about foundations especially created for the support of CAcert. Or is it for free certs? Which is it?

For example: There are several approaches to "issuing free certificates" (the "mission" for this example). I like some of them but not all. I like CAcerts approach. So I would donate money towards CAcert (CAcert's approach) but not to the overall mission "free certificates". If me move from a well-known name attached to a particular mission ("CAcert") to an overall "mission definition" we will lose our shape to the outside. This might confuse public.

Or another example: CAcert is accepted as a "trusted CA" in more and more areas ("els..." "Sta...." for virtual post office...). If we move to an "mission attachment" outsiders might think about loose, uncontrollable structures while the believe in a fortified CAcert (which WE know it is not!).

ISOC suggests: "7. Liabilities The Internet Society shall not be liable for any act or omission or incurred liability of any kind of any Chapter." Also see "5. Public Positions and Statements."


The Foundation must maintain lines of communication open with CAcert and the community.

  1. Although independent, the community has the right to provide advice.
  2. A liason officer must be named to the CAcert community.

Finances and Books

The Foundation must govern its own books.

  1. As we are a security community we expect money matters to be treated as seriously as we treat our systems.
  2. The money should be spent locally.
  3. Transfers between Foundations, regions and CAcert Inc must be carefully controlled and documented. The process must be open, transparent and auditable.
  4. Public reports on finances must be open.
  5. Foundation should accept a community financial auditor.

Comment: So we should define which level of bookkeeping we set as a minimum standard. We don't need to rise it up to the german standard for example, but we should define a minimum.


Another idea: the "CAcert" foundations should be an Association member of CAcert Inc. In this way one is less dependent of individuals in the Association. With this I do not say that personal membership of the association should be impossible. Having a subgroup of association members who are a supervisory council and policy group with certain responsibilities and power the CAcert association gets more body and corrective entities. The foundations have still their own independence. Is that something to bind the foundations, as well to get CAcert more stable?

Maybe we could think of CAcert Inc. as a "parent foundation" (don't know if it's the right word. The child entities (the local foundations) are members of it. Having this in place would mean that the child entities (representing the users) have a certain amount of control because they do the AGM and vote in the board. By having this it would be even more protected. That's because control would need to be exercised over many daughter foundations before control of the main foundation was gained.

W I P . . W I P . . W I P . . W I P . . W I P