Committee's Forward-Looking Statement

This statement consists of the Committee's predictions and plans for the future, beyond the financial year July 2008 to June 2009. For convenience, reflection of time and facts, and the election of distinct teams to the Committee, it is divided into three periods.

SGM20090725 Committee Forward-Looking Statement (Draft Report)

This Statement covers the period from the SGM of 25th July up to the AGM/AGM20100130, or as close as we can get it. This is more of a draft report than a statement, because the period has already happened. However, the formal report will be in the AGM annual report to follow.

Priorities

Following the SGM of 25th July, the new team identified and pursued the following three priorities: Finances, data protection and infrastructure hosting.

Finances. consisted of two issues, being acquisition of control of accounts, and finding a statement of the state of finances. Both proved very difficult for these reasons: the previous committee made little or no effort to assist in a handover the books and financial related affairs, and the rules required a minimum of two signatories. With only one signatory available, it took some 4 months before control was asserted. Then, within a month of gaining access to bank statements, a draft finance report was prepared by Treasurer for this report.

For the record, the delay in the AGM and report was due to this blockage. The Committee took the following steps to ease the situation: One member, Mark Lipscombe was confirmed as signatory, another member Ernestine Schwob was added as signatory. A rule change was submitted to the association reducing the requirement to one signatory, being an employee or member of the association. Accounting systems were investigated to prepare online accounts, accessible to all committee members.

Data protection. The committee recognised the importance and the value of previous work on this project, and immediately took over the full task. Previous project members were written to, to alert them that the new committee had taken on the task. The committee met 3 times to discuss the issue over the period July to December. As previously, the committee declared the topic and documents in closed session. Much research was done, and new information was uncovered. At the end of its deliberations, the committee concluded that CAcert was in compliance.

Infrastructure Hosting. On advice of the ex-auditor, the committee took the previous committee's hosting project to top-priority. The project's mission is to get all "infrastructure" or "non-critical" processes out of the critical team's domain (physical, logical, governance).

The project analysed the value of an exchange with a commercial provider in USA (not progressed), creating a technical and marketing pro-forma, and pursuing several opportunities. By the end of the year, agreement had been reached in principle with a hoster in Switzerland and another in Vienna, with 2 more possibilities in the works. The first Swiss VMs came online late December, and are handed over to Infrastructure Team to start the migration process. The view of the committee is that we need something like 3-4 different VM hosts, in a range of different locations, all with strong traditions in privacy and security.

Informal but Important Goals

Community Focus. Although not an express focus, one other major project bears merit. In the aftermath of the failed audit, it became apparent (not least to the ex-auditor) that the Community had lulled itself into a false expectation of someone else doing the audit. This attitude had continually blocked work being done, and had played its part in the audit failure. Hence, the goal was set to reverse this attitude within the Community. This was implemented informally by presentation, talking and persuasion at all and any opportunities.

In practice, this meant that the question "when is the audit done?" was rejected. Instead, we, all, the committee, the Community, ask you,

Teams. Gradually this message filtered through to the team leaders and the senior assurers. With this message reaching out, we have been able to grow our active and contributing teams, because now the perspective is clear: if you want audit, your contribution is the only way it is going to happen.

This success can now been seen in the hefty Team Contributions in this report. The Community Member is encouraged to read those reports, count up the contributions, and run not walk to their nearest team leader. This committee takes note that the teams are bigger than the committee, and we can only slow them down.

AGM20100130 Committee Forward-Looking Statement (Plan for New Committee)

This Statement covers the period from the AGM/AGM20100130 to 30th June 2010, at which date that year's annual report will close, and be presented to the following AGM end of 2010. This Statement is forward-looking, and will need to be endorsed and/or adjusted by the Committee of AGM/AGM20100130.

We plan to do the following in the next 6 months:

Software. Although good work has been done in the software area, it is now CAcert's archilles heel. This is because the situation is more or less unchanged since the original board of 2004-2006. We have in 2009 seen a growing emphasis of attention to software, firstly with the Birdshack initiative, and more recently with the development infrastructure initiative.

CAcert's approach has been to hold some areas still while fixing others. Now it is the turn of software. The community is already forming a new development process, as well as hopefully restarting the Birdshack project. Team growth is a priority.

Funding. The finances of the association have fallen fallow. From relatively high advertising revenues, and the apparent-but-tied injection of funds from NLnet for audit and TOP purposes, CAcert's finances are now in a weak state where income just covers hosting outgoings. Since the market for advertising has changed and the price which is paid decreased, we could not expect an increase for the advertising income. As long we don't have banners and our website is "critical-system" we could not change very much at the moment. For funding of projects within cacert, we have to do a plan for these projects, to be able to ask for donations, a donator will know for what the money will be used.

Preparation for Audit. Work to prepare for audit has been on-going, but with the move of the infrastructure services into independent locations, it is now possible to focus more directly on the audit requirements. Policy group needs to push through the remaining work (CCS). An internal audit team needs to form, and prepare the criteria and checklists for external review. Assurance needs to run its co-auditing programme, and prepare its report. Board and team leaders need to work out a comprehensive disaster recovery plan.

Opportunities. As well as the above, the committee will continue to push for opportunities to be grasped. We want all our services running and secured through client certificate. We need a new roots project to pick up where the 2008 team left off. We need support software for the Assurance team.

July 2010 and beyond: Forward-Looking Statement (the further future)

This Statement covers the period from the 30th June 2010 onwards, and will not be reported on until the AGM of 2011. It is quite likely to change.

Starting an Audit. By mid 2010, it may be possible to start the hunt for an external auditor. As work still remains to be done, it is totally futile, a drain on faith, and a false promise to bring in an auditor before CAcert can say "We Are Ready." As we get closer to that period, we will ask all the Team Leaders to declare their readiness, according to a slice of criteria.

The audit may take the form of separate audits, one for CA (systems) and one for RA or Registration Authorities (Assurers).

Expanding the use of Certificates. As we can see, the audit path is a slow and tortuous one. We will get there in the end, but alternatives are needed. And, there are places where the audit is not a blocking issue. One huge one is client certificates, and another is the re-invigoration of secure email using such things as OpenPGP standards. We can also influence the takeup of security systems by getting directly involved in software development, and the day will come where the code to use certificates comes from our software team.

D R O P P E D

Mission. As we lead further into the security and privacy areas, we will need to take pause and think of our mission. It has already gone through many iterations, and sometimes it does not quite fit the actions we find necessary to follow. Are we a CA or a Community? Do we favour x.509 to the exclusion of OpenPGP, and why? Can we promote software or can we promote security? Most of the time these questions are not contradictory, but when they are, our mission will tell us where we go next.