From the Committee of CAcert

Hereby, the Committee of CAcert Inc presents its executive report to the members of Association, and by extension, to the entire Community of CAcert. This report is over the period 26th July 2009 to 30 June 2010. The period starts where the last year's report left off, being the SGM of 2009, and finishes at the customary end of the financial year 2009/2010.

In addition to that defined period, the Committee presents a Forward Looking Statement that covers 1st July 2010 and beyond. Note also that Team Reports are not so constrained by fixed periods.

Terms The terms committee and board are used interchangeably. The terms CAcert Inc. and the Association are used interchangeably. The term Member means a member of the Community, under the CCA, where unqualified, and a member of the Association or the committee where qualified.

Governance Statement

CAcert Inc. is incorporated under the Associations Incorporation Act, 1984 of NSW, Australia. The members of the Association are our registered participants in the governance of our wider Community. Total Association membership at 30th June 2010 was 76, and as of 18th February 2011, stands at 77.

As of 20100826, the wider Community outside the association currently numbers some 3823 Assurers, 14389 fully assured members, another 5552 with some Assurance Points.

CAcert Inc. has no employees – we rely fully on a cadre of volunteers to carry out all functions.

CAcert Inc. operates under the rules of the Association, as last resolved by the Association members, Jan 2010. Under these rules, CAcert Inc.’s affairs are managed by the Committee (more commonly called the Board). CAcert Inc also binds itself by means of the CAcert Community Agreement and prior decisions at AGM and Committee to the policies of the community.

The Committee, which comprises the president, the vice-president, treasurer, secretary and three ordinary members, is elected each year at the annual general meeting. The Committee meets on the Internet approximately twice per month. Meetings are generally open, publicly readable, and minuted on the wiki.

The Committee’s primary role is to manage the services, intellectual property and teams of the Community. The Committee is assisted by 2 other main groups, being the Arbitration Forum for the resolution of disputes and the policy group for the creation and approval of formal policies. The Committee directly manages the many teams of CAcert, each of which work within the policy framework of CAcert, document their activities and processes on the wiki, report to the Committee, and abide by rulings of the Arbitration Forum.

The Committee recognises the importance of our long-term intention to be in the browsers. To that end, our continuing task (Committee, the Association and the Community, all of us, together) is to prepare and complete Audits over the Community's Certification Authority and Registration Authority components.

The outgoing Committee provides this annual report to Members of the Association at the annual general meeting (AGM). The annual report includes a financial report, team reports, a summary of the year's events and a forward looking statement to assist the incoming Committee.

The Committee's Year in Brief

This report covers the period from the Special General Meeting of 25th July 2009 until the end of the financial year, 30th June 2010.

Priorities. As reported in the last report's "Outlook Statement," the new committee elected at the SGM took on three major priorities:

  1. Finances
  2. Data Protection
  3. Infrastructure Hosting

In addition, several important but non-critical targets were adopted over the year:

  1. Community Focus
  2. Teams
  3. Software
  4. Funding
  5. Alternative Payments Possibilities

1. Finances In gaining control of the finances, these activities were undertaken: adding Treasurer to the list of signatories, preparing amendments to the Rules of the Association for the AGM to permit only one Member signatory (passed as agm20200202).

This priority consisted of two issues, being (a) acquisition of control of accounts, and (b) finding a statement of the state of finances. Both proved very difficult for these reasons: (i) the previous committee made little or no effort to assist in a handover the books and financial related affairs, and (ii) the rules required a minimum of two signatories. With only one signatory available, it took some 4 months before control was asserted. Then, within a month of gaining access to bank statements, a draft finance report was prepared by Treasurer for this report. These difficulties caused the delay of the AGM until end-January 2010, and delays of over 6 months in paying two creditors.

The Committee took the following steps to ease the situation: Mark Lipscombe was confirmed as signatory, and Ernestine Schwob was added as signatory. A rule change was submitted to the association confirming the requirement for committee approval for all payments, and reducing the requirement to one signatory, including an employee or any Member of the Association. This rule change was approved by the Association (agm20100130.4.13). Accounting systems were investigated to prepare online accounts, accessible to all committee members, but no progress can be reported.

2. Data protection The committee recognised the importance and the value of previous work on this project, and immediately took over the full task. Previous project members were written to, to alert them that the new committee had taken on the task. The committee met 3 times to discuss the issue over the period July to December. As previously, the committee declared the topic and documents in closed session. Much research was done, and new information was uncovered. At the end of its deliberations, the committee concluded that CAcert was in compliance.

3. Infrastructure Hosting On advice of the ex-auditor, the committee took the previous committee's hosting project to top-priority. The project's mission is to get all "infrastructure" (formerly known as "non-critical") processes out of the domain of the critical team (physical, logical, governance). In technical terms, the project pushes for several dedicated machines ("hosts") to provide hosting of Virtual Machines (VMs). The view of the committee is that we need something like 3-4 different hosts, in a range of different locations, all with strong traditions in privacy and security. The project proceeded along these lines.

(i) The project analysed the value of an exchange with a commercial provider in USA, and created a technical and marketing pro-forma in order to analyse this opportunity and others. In the event, this option was not pursued.

(ii) The Swiss project team initiated negotiations with a hosting provider in Berne. By the end of the year, agreement had been reached in principle. The first Swiss VMs came online late December, and are handed over to Infrastructure Team to start the migration process. In April, a contract negotiated by Swiss project team with the hoster was presented to the Committee. However the Committee was of consensus that some changes were needed, and this was not an acceptable option to the hoster nor to the project team. The offer was withdrawn June 2010. The Committee then directed that correspondence be examined so as to conclude that the agreement was terminated.

This project was very promising in technical terms, but was handled badly in governance terms, resulting in the collapse of the project. It cost the project team substantial efforts over 6 months, and dominated the Board's agenda for around 3 months.

(iii) Sonance, an art/tech Verein in Austria, expanded its VM provision and provided between 1 and 3 VMs, with more available on demand. The primary use was by the software development testing team. An agreement for an entire machine's worth of VMs was negotiated for power costs of 40 Euros per month, but this was not taken up. Sonance remains willing to provide VMs on demand.

(iv) Other efforts were pursued in Zurich and Vienna, but did not report substantial progress.

In conclusion, CAcert has not moved very far forward on this project. The rationale remains sound, and the committee continues to pursue any options.

4. Community Focus In the aftermath of the failure of the first audit, June 2009, it became apparent (not least to the ex-auditor) that the Community had lulled itself into a false expectation of "someone else" doing the audit. This attitude continually blocked work being done, and had played its part in the audit failure. Hence, the goal was set to reverse this attitude within the Community. This was implemented informally by presentation, talking and persuasion at all and any opportunities, and building some systems and processes to outsource the process to teams and to the Community.

In practice, this meant that the question "when is the audit done?" was rejected. Instead, we, all, the committee, the Community, ask you,

This message was inserted into the ATE process, into blog posts, various responses to requests, and into new innovations in Assurance such as CARS.

5. Teams Getting teams to think more independently was one of the big successes of the last year. With the above message, and active work going on in rebuilding many teams (support, arbitration, software, testing, assurance, events), the success can be seen in the powerful set of reports in last year's report and again in this year's report.

Run not walk to your nearest team leader! The teams have great need of help, and your audit will only get closer as these contributions come in.

This committee takes note that the teams are bigger than the committee, and we can only slow them down. The Community takes note: you are bigger than the teams, and that is something you can and should fix :-)

6. Software It was the committee's intention to advance in building 3 new teams for Software Assessment: Legacy Software, Testing and BirdShack. In the event our efforts were not strong. We took over partial guardianship of the Software Assessment team. In that role, we appointed several new Software Assessors, once their ABCs had been completed.

Much work was done outside the Committee's direct involvement, and in the end we played no more than a supporting role.

7. Funding It was also our intention to advance funding. Some suggestions were made, but none gathered support. The Funding situation of the Association remains dire, and if anything has slipped. Partly, this can be attributed to the large amount of effort expended in getting control of Finances (part 1 above), and partly to discord within the committee as to what are appropriate steps in Funding.

8. Alternative Payment Possibilities At the Association's AGM of early 2010, the following was resolved as ordinary resolution 5.1 by the Association:

The committee and members of the Association investigated the costs for operating a European account, and a USA account. Although the direct costs were not so high, the Committee is of the opinion that the management load on the Committee is too high. Especially, in light of the bad experiences with the Australian bank account, the Committee is nervous of adding more work for small gain (see 1. Finances above).

Following agm20100130.4.13, it would still be possible for the Committee to appoint a Member of the Association to manage an Association account (whether new or existent), although this would require careful consideration by the committee. To date, no such proposal has been tabled. Therefore, pursuant to the resolution 5.1, this Committee reports to the Association that it does not recommend any action at the current time, but will keep an eye open for any changes.

Diary

Diary wip

The Committee's Forward-Looking Statement

July 2010 to January 2011 (AGM time)

This period has already passed, and this section can be seen as a preliminary briefing on the period. However, the next year's full report will properly replace this entire section with a formal report.

  1. The Committee adopted the Creative Commons licence known as CC-by-sa, or attribution+share-alike (3.0, Australia). This licence approximates the successful GPL licence for source code, as it requires distributors to also licence under a compatible regime. Thus, we all benefit from published improvements.
    1. For policies, m20100815.1
    2. For documentation, m20101112.1 pending!

  2. The committee has agreed to a light-weight agreement for hosting with Members for the time being.
  3. We have also expressed our full support for ATEs, or Assurer Training Events. It is noted that these are critical to preparing the Assurers and our web of trust for Audit.
  4. The committee adopts-in-principle the proposals of the Internal Audit team to pursue a two phase path of Registration Authority (RA) Audit first, Certification Authority (CA) Audit second. The committee will place / has placed on the agenda the issue of retaining an Auditor to review the RA. It is noted that significant work in ATEs, co-auditing and disclosures will need to carry on in parallel. Any success in Audit will depend heavily on contributions by the Community. It should also be noted that the funding situation does not give us much flexibility.

  5. The committee has noted that the new Associations Act 2009 has now come into effect. This rules within the Act elevate the association to a much higher level of professional governance. One such rule, the need for three Australian members of the committee, has caused some concern, as our representation in Australia is far lower than our global presence. The Committee addressed this in the following ways:
    1. We resolved to support more recruiting in Australia, including the expenditure of funds to ensure ATEs, m20100912.2, m20100912.3.
    2. We sought an examination of the Federal code which does not include this restriction. In the event, the proposal was seen as small benefit for a lot of work.
    3. We asked for any other proposals. One such proposal was for NSW Cooperatives, but had expensive audit provisions.
    4. We resolved to prepare a rule change to meet the new Act, m20100912.1. However given the timings, it will not be presented at upcoming AGM.
  6. /!\ Old text: '"Both the Treasurer and the Public Officer resigned, leaving us again with no access to the bank account. Kevin Dawson was appointed as new Public Officer, and with the assistance of Ian Grigg, proceeded to gain access to the account directly through the bank. This involved several trips, a lot of paperwork, many motions and many minutes. Success is not expected before this report completes."'

==> proposed new text: '"In the last months of 2010, this board was not able to retain full access to the bank account to faciliate the production of the financial report. This was due mostly to the factors outlined in the main report. Much effort was expended on adding a non-Australian, but this proved too hard. We suffered the resignation of the sole signatory before we could get others added. To address lack of access, Kevin Dawson was appointed as new Public Officer, and with the assistance of Ian Grigg, proceeded to gain access to the account directly through the bank. This involved several trips, a lot of paperwork, many motions and many minutes. Success is not expected before this report completes."' /!\

  1. An Arbitration a20100212.2 allocated new liabilities to the Association. In the board's opinion this was problematic and an appeal was requested. However this ran into the DRP's rule that had the Board hearing any appeal. Action within the Policy Group replaced that rule with a new Appeal Forum sourced under the Dispute Resolution Officer's control.

March 2010 - end 2011

Looking forward, the Committee plans to:

1. Support the audit process, and to encourage the community to also do the same.

2. Address the new Act:

3. Support the Software Teams combined efforts to build suitable systems and capabilities.

4. Finance:

5. Examine the possibility of a TOP in Europe of all directors and key team leaders.

6. Re-invigorate the Infrastructure Hosting process.