On 8/6/11 10:15 AM, "Mark Foster"
'Standard Pre-Employment Checks' could mean essentially nothing at all. It could mean a Police Records Check and a Referees check. It could mean a lot more depending on whos definition of 'standard' you run with.
Given the importance of the .nz zone in terms of NZ's critical Internet Infrastructure i'm surprised that someone like CCIP hasn't stepped in here to recommend (at the very least) a clearly articulated set of checks.
In the Government space there's obviously a series of vetting grades which range from 'Police Check' through to official vetting levels. CCIP through their parent org (GCSB) should be at least consulted on something such as this?
Also, it doesn't actually say that they passed the checks. Which is not facetious. A check just identifies risk, and it's perfectly reasonable to accept a risk after due consideration. But as Dean says, in this case we are delegating trust to NZRS. Given that, I'm less interested in knowing who they have chosen, rather I'm interested in the process they used. By way of example: if the trusted people employed by NZRS were Dean and Andy then I'd be happy to trust them. The implication is that I should therefore trust NZRS. But, after a while both Dean and Andy move on to other jobs. If I only trust NZRS because I trust Dean and Andy then I should automatically revoke my trust in NZRS. By this model, I only trust NZRS once I, personally, have vetted their officers. And so for everyone else. Each of us doing background checks on the potential candidates. That's obviously nonsense: NZRS is the persistent entity that wants our trust, so it is up to NZRS to show why it should be trusted, and why it should continue to be trusted. Another example: a notorious confidence trickster was asked how he could take advantage of people who trusted him. He replied condescendingly that "because it only works if they *do* trust you). If someone wants to subvert NZRS, then they will be personable and engaging and oh so trustworthy and will have glowing references. Or, you could just suborn them by threatening their family. Which leads me to ask, is if possible for no one person to know the key, but rather to have just a portion of a key? Regardless, and in support of Dean's position I think, can we have the exact processes around the keeping of the keys set out on an open forum so we can evaluate them? -- Michael Newbery IP Architect TelstraClear Limited TelstraClear. Simple Solutions. Everyday Residential 0508 888 800 Business 0508 555 500 Enterprise & Government 0508 400 300 This email contains information which may be confidential and subject to copyright. If you are not the intended recipient you must not use, distribute or copy this email or attachments. If you have received this email in error please notify us immediately by return email and delete this email and any attachments. TelstraClear Limited accepts no responsibility for changes made to this email or to any attachments after transmission from TelstraClear Limited. It is your responsibility to check this email and any attachments for viruses. Emails are not secure. They can be intercepted, amended, lost or destroyed and may contain viruses. Anyone who communicates with TelstraClear Limited by email is taken to accept these risks.