To review:


CAcert's Year July 2009 to June 2010

20090725 The Special General Meeting was held at the request of Member Nick Bebout, seconded by Member Mario Lipinski, with several significant resolutions:

The final business of the SGM was to elect a new board for the interim period:

These were adjusted to swap Ernestine Schwob and Philipp Dunkel's positions.

20090728 Board established three priorities:

As well, the Board decided to keep the private mailing list set up by the last Board. But, as Rule 23B had failed to be adopted as an Association special resolution, the Board also voted it into effect as a Board motion, m20090728.4 requiring the Board to routinely keep business public, to formally decide by motion when to close the deliberations, and to publicly disclose the topics and reasons. Open governance was established. Shortly thereafter, Board established a private list for all "corporate actions" being those formal communications sent to a board member that should be seen by all. m20090910.1

20090815 CAcert sysadms met up at HAR2009 One task they were able to handle easily was the destruction of some older physical drives. This was the second time a new procedure had been followed in drive destruction; this time it was easier because of onsite hardware from a commercial company.

20090815 Board adopted a Community Communications practice that was substantially open, and placed power with the team leaders to grant access. No longer was it required for the Board to approve any access to a community tool such as email, blog or wiki.

20090815 Mark Lipscombe took on the Public Officer role, replacing Robert Cruikshank.

20090928 CAcert introduced a new concept to the community from the Assurance Team: CARS or CAcert Assurer Reliable Statement. This was introduced so that our Members can send in reports on events, training, co-auditing and other important things. At the bottom of the report, the Member types her name and CARS to indicate that the above words are reliable enough to present to an Auditor, the Arbitrator or any other member with needs to rely. Throughout the year, this concept was rolled out.

20090911 A new signing server was commissioned by the Netherlands team, thanks to a donation from NLUUG, the Dutch association of (professional) Open Systems and Open Standards users to Oophaga.

20090914 The board shut down all the older "special programs" until they could be properly written up by policy group. This is required because they breach the Assurance Policy, making audit a necessary fail.

20091001 We adopted a push for client certs. The Blog and the mailing lists were configured to join CATS and the main website. Overall this experiment was successful: although it takes some setup, afterwards the troubles are few, and far less than with passwords and spam.

20091004 Iang posted a Funding subproject called Adopt-A-Page that intended to drive our page value up.

20091015 Immediately after the above, we received notice that Thawte, a South African CA owned by Verisign, were shutting down their web of trust in one month. As CAcert ran a program called Tverify to accept the points from their program at par, this effected us.

To help the people transition from that old and popular web of trust, the Board voted to extend the Tverify program until the Thawte access was shut down on 20091116, as at that point we would not be able to verify the points. Also, the Board voted to give Tverify people a year to get assured, which will be up very soon after this report goes to press.

20091115 Ongoing discussions about the Arbitration backlog and Support blockages reached the Board. These were in deadly embrace, as we could not appoint new SEs without Arbitrated Background Checks (ABCs), and we could not fix Arbitration without a better support team. ABC was written into the Security Policy by Philipp Dunkel to replace the old undocumented "background check". To resolve the deadly embrace, Guillaume resigned as Support Team Leader, and the Board appointed Iang to revamp the team, assisted by Ulrich to push through ABCs. Concept of Triage team was introduced.

20091122 Board pushed to move infrastructure hosting outside the critical domain of BIT, Ede so as to make audit easier. Hosting in Vienna by Sonance was accepted, and a project to provide hosting in Berne was started.

20091126 Daniel Black presented on certificate infrastructure at

20091106 Finally, CAcerts CPS or Certification Practice Statement was put onto the main website in DRAFT mode. This document took over 3 years to write, and during the journey, outsourced many of its tricky parts into other strong policies: Assurance Policy, OAP, Dispute Resolution Policy, Policy on Policy, Security Policy, CCA, etc.

20091206 The Board completed its analysis of the data protection issues of CAcert's operations, and concluded that we were in compliance.

20091211 Arbitration documentation project was started by Ulrich, and speed-ups were examined.

20091215 Assurance team met in Hamburg for a MiniTOP. PoJAM or Policy on Junior Assurer/Members was started.

20091216 Software people met in Essen for a MiniTOP. The new repository was up and running, and attention turned to test and developer systems. At the following Board meeting, the Board requested that additional members be brought into the Software Assessment Team, but progress was very slow.

20091231 It was decided to move the DNS and OCSP from the infrastructure team to the critical team, thus placing it under the regime of Security Policy. Shortly thereafter, the main domains and domain account were also moved to the critical team.

20100103 Lambert was appointed to DRO or Dispute Resolution Officer, after Nick resigned late December. To be assisted by Ulrich. Pace on the documentation picked up. 20100103 A draft of the financial report was presented by Ernestine.

20100117 Board discussed the new roots situation in depth, but still no plan, no team.

20100130 The Association held its Annual General Meeting. At that meeting, the report was presented, including Board's report, Financial Report, and 13 team reports. At around 70 pages, the document was hefty. A set of resolutions was passed into the Association Rules, and a new Board was elected:

20100201 Policy group voted the PoJAM to DRAFT, giving members and assurers under 18 the way forward.

20100202 With the passing of a special resolution reducing signatories required for payments to one, the Board was able to start making payments after a delay of 6 months. Two patient creditors were paid, being Iang and Oophaga.

20100206 Fosdem 2010 was a big event for CAcert with Assurance Booth and event. Iang gave a 15 minute lightning talk at Fosdem in Brussels called "Client Certificates - The Old-New Thing"

Assurance Team held a MiniTOP in Brussels. Main topic was to plan the new co-auditing year in preparation for Audit.

20100213 Software team MiniTOP in Offenbach reported on state of repository.

20100221 Ulrich was appointed as Assurance Officer by Board, taking Sebastian's place. Michael Tänzer appointed as Support Officer, taking Iang's place. 20100306 Daniel Black appointed as Infrastructure Team Leader. 20100327 Walter Güldenberg appointed as Events Team Leader, replacing Ulrich.

20100304 In response to concerns raised about privacy and security in Support Team, especially for the new Triage team, and OTRS, the Support Team's new tracking system, it was decided that neither would be directly under Security Policy, but they should be documented under Security Manual.

20100306 CeBIT! The major event of the year was well attended over the 5 days with a team of 8 to 12 Assurers. Co-audit program was finalized for the year and started.

20100308 Ulrich started a task list of running Projects which can be found in the Wiki.

20100309 Ernie uploaded the new Association Rules, reflecting all the Special Resolutions from the AGM.

20100324 First ATE of the season: ATE-Sydney!

20100326 Board vetoed the DRAFT status of Security Policy regarding point due to a perceived conflict between background checks over Board and CAcert incorporated rules. The decision m20100327.2 followed Policy on Policy's limited right for the Board to veto a policy in DRAFT mode, PoP 4.6.

20100330 Software-Assessment Project telco reported GIT was successfully tested, and discussed a Testserver Management System.

20100422 Andreas introduced a contract to the Board of CAcert Inc. to agree to as a formal hosting arrangement with a Swiss hosting company. Much discussion followed, for three months or so, and it both consumed the lion's share of board time, and polarized the members.

The basic proposal was that the contract could not be changed, but the Board declined to accept that position for a number of reasons. Vigourous debate was conducted in email thread, wiki page, board meeting minutes, and in outside channels. Many pros and cons were advanced. A counter-proposal was written. In early July (20100707), the hosting offering was withdrawn by the supplier after the stated period for acceptance (until end of June) had elapsed.

20100516 Policy Group brought the CCS or Configuration Control Specification to DRAFT. This is the "index" for audit's view over policy.

20100605 Security Policy goes to DRAFT! After the board's veto, the policy group swung into action and reviewed the policy. A lot of tidying up was done:

With that, policy group also announced that the full set of required audit policies was now in DRAFT or POLICY. This represents a major milestone, completing a 5 year project to prepare the documentation for Audit.

20100530 Minutes written for the AGM by Iang, to be reviewed by all, and presented at next AGM.

20100614 Password Recovery With Assurance was announced, based on Arbitration case a20100407.1

20100615 Scheduled downtime as the systems were moved from one rack to another. Thanks to Stefan, Wytze, Hans and Bas.