CAcert Communication Policy (CCP)

Editor: Sam Johnston
Creation date: 2008-04-16
Status: DRAFT 2008-04-25 (m20080425.1)
Next status: POLICY 2008-XX-XX

0. Preliminaries

This CAcert policy describes how CAcert communicates as required for achieving its mission.

1. Scope

CAcert Community Members are subjected to the CAcert Communication Agreement (CCA).

This policy is applicable to:

1. Press Releases and Announcements
2. Internet Email
3. Internet Relay Chat (IRC)

2. Requirements

This section describes all CAcert communication channels.

1. Press Releases and Announcements
   
   1. CAcert Community Members may communicate on their areas, but these are considered community views.
   2. Targeted announcements may be sent to a minority subset of users who have opted-in to receiving information on the topic.
   3. Press releases and official announcements must be approved by the board and issued via:
      
      1. Digitally signed email to appropriate mailing list(s).
      2. Posting and indefinite archiving on the official CAcert web site(s)
2. Internet Email
   
   1. Email Aliases are official email addresses within the CAcert domain(s) (eg john@cacert.org).
      
      1. All official CAcert communications must be conducted using an official address, which is typically a forwarding service.
      2. Access to full accounts (available only to officials listed on the organisation chart) shall be available via web interface and standard mail protocols.
      3. Outbound mail should contain the full name and short reference to the official capacity of the user: John Citizen (CAcert AO) <john@cacert.org>.
      4. Role accounts (eg support@cacert.org) shall be implemented as a mailing list or automated issue tracking system as appropriate.
   2. Mailing Lists are automated distribution lists containing CAcert community members.
      
      1. List management (new list creation, dead list removal) shall be managed by the board.
      2. List membership shall be restricted to CAcert Community members and all posts are contributions, as described in the CCA.
      3. Lists shall follow the naming convention of cacert-<listname>@lists.cacert.org, with important lists (eg support, board) aliased @cacert.org
      4. List policy shall be set on a per-list basis (eg open/closed, searchable archives, etc.)
         
         1. Open lists (eg cacert-policy) shall be accessible by anyone (including Internet search engines) and closed lists (eg cacert-board) only by list members.
         2. Posting to discussion lists (eg cacert-policy) must be restricted to list members and must not be restricted for role lists (eg cacert-board).
         3. Messages which do not meet list policy (eg size, non-member) must be immediately rejected.
      5. Subscription requests must be confirmed by the requestor and subscriber lists must not be revealed..
      6. Web based archives shall be maintained and authentication must reflect list policy.
   3. Automated Email is sent by various CAcert systems automatically
      
      1. All new automated emails must be approved by the board.
      2. Automated emails should only be sent in response to a user action.
   4. Personal Email is individual personal addresses of CAcert Community members (eg john@gmail.com).
      
      1. Personal email must not be used for official CAcert purposes.
3. Internet Relay Chat (IRC)
   
   1. An IRC service shall be maintained at irc.cacert.org which shall be available via SSL.

3. Implementation

This section describes how CAcert communication channels are to be implemented.

1. General
   
   1. CAcert System Administrators shall have discretion as to the technical implementation of this policy and shall report status to the board periodically.
2. Security
   
   1. Authentication (where required) must be done via username and password and/or CAcert certificate.
   2. Transport encryption must be used where possible.
   3. Content encryption may be used where appropriate.
   4. All outbound mail should be digitally signed.
3. Internet Email
   
   1. All mails must be securely archived.
   2. All mails must be subject to appropriate spam prevention mechanisms (eg SpamAssassin, greylisting).
   3. All mails must be subject to appropriate virus and content filtering (eg ClamAV, content types).