170 likes | 277 Vues
This document addresses the challenges faced by novice CA managers in creating consistent, compliant policies. It emphasizes positive practices and offers solutions to streamline the policy-writing process. The goal is to improve efficiency, reduce reviewer iterations, and enhance accreditation processes.
E N D
Template Profile Jens Jensen, STFC RAL GridNet2/ UK e-Science CA OGF22 Boston
The Problem CA policy CA practice statement CA PRACTICE MINREQ Best Practice Check consistency
New Policies • Usually written by novice CA mgr • Using bits from other CP/CPSes • Accentuate the positive • All the good bits get copied around • Eliminate the negative • All the bad bits get copied around
Problem • Policies become inconsistent • Don’t satisfy minimal requirements • Need many iterations with reviewer • Bad for CA manager • Bad for reviewer
Common Examples • RA checking CRL • 4.5.2 MUST at time of reliance • 4.9.6 MUST at time of reliance • 9.6.4: “according to their satisfaction” • Email both confidential and not • Flood protection at 1.2 metres on 1st floor
Is it a big problem? • We already cover half the world • But there is another half
Proposed Solution? • Working group on Template Profile • Jens, David G, Milan, Anders, Vinod, David O'C, Mike, Sergey, Hardi • Get the “best” bits from policies • Living document – but needs an editor • Reviewers best to write/contrib • Become an IGTF document
Status • …er, not really started yet • Amsterdam meeting Jan 2008
Piecing it together • Easier to set up new CP/CPS • Too easy? • Easier to get it right sooner • Often many, many, iterations are req’d • Greatly delays Accreditation
Operational Reviews • TAGPMA are leading in this area • Template for operational review • But a reviewer still needs to read the CP/CPS!! • Quicker if many bits known to be good • APGridPMA auditing for accreditation • Yoshio’s auditing procedure
Operational Reviews • Highlight: • Which bits are canonical • Which bits are based on guides • Which bits are changed since previous version
Piecing it together • Delaying Accreditation is bad • Reviewers are already overloaded • (Not necessarily with reviews but with real life jobs) • Time consuming for new CAs • Get new CAs in early (PMAs) • Not after the policy is written
Pieceing it together • Not aiming for machine parseable • Or should we? • (Chadwick, Coghlan/O’Callaghan) • TAGPMA guide to writing CP/CPS
What about existing CAs • Leave alone, for now • Some not satisfying minreqs • Minreqs change, too • Mythical six months to update
Back on track…? • Urgent changes - Aggressive option • Do it in six months or else • Medium urgency • Address with next CP/CPS change • At least before next PMA presentation • Lower urgency • Discuss at next presentation
Summary • Template profile • Approved text for sections where it makes sense • Approved guidelines (cf TAGPMA) for other sections • Open bits • Get new CAs in early