Minutes Advisory / Management Sub-Committee meeting 20071122
Systems Review
- what is the structure of sysadm department
- maillist?
- daniel black to create a mailing list for sysadms
- backup recovery plan
- guillaume has necessary details
- followup by Evaldo
- systems work
- FF 2 machines: core + signing (towers)
- core machine was dead
- 1st spare from Philipp's spare machine was also dead
- swapped the hard disk into a spare machine of Matthias S.
- machine not needed for now.
- costs not an issue this time because it was a spare
- authorisation can come after-the fact, philipp to write it up
- Philipp went through FF mailing list and went to krypt with MS.
- no need for arbitration at this stage
- OpenPGP system
- there is a bug
- RFC4880 defines user-id field as a simply unicode structure
- fixed issue by adding filter by disallowing multiple email addresses in the user-ids
- a security review should have been done
- should it be stopped?
- need concerns from philipp ?
- evaldo took it to the board,
- teus wants to take it to m-sc
- there are a lot of users, around 50-50 split between OpenPGP and x.509
- no especial audit focus, certainly not a Mozilla request
- ggr said it was distracting from core business
- voted YES to continue the system
- brings into conflict with the board
- Teus to write up report (iang to fix) request board to reconsider
NL
- hvl - need to chase, evaldo in email contact
- ggr had no time, evaldo is following up and calls Hans
- evaldo in email contact
- then board request to add
- there are several systems in NL
- what are in use?
request to philipp for systems in use, and what are used for?
- set deadline for plan
- approval by board of plan by next thursday
- this means that we have to create the plan by say next tuesday
first person to start typing...
- blockages
- Tix changes are not adequate, "inadequate firewall management"
- development of procedures, ceremony
- working with hdl to work up a plan
- Oophaga is addressing the Tix issue
- concern about too many ports being opened
"does CAcert know what its doing?"
- good concern, let's see it written up
- what procederes can be put in place to ensure the quality of transfer of systems and management of procedures
need a ceremony for the transfer, as with last move AU->AT
- architecture for the systems is needed as well
- have to be able to maintain the system, system will break down and "that's the end"
- Machines:
- 1x2100 is backup system (more hard disk capactiy)
- 1x4200 is production (less capacity) (mail, lists, wiki, bugs, ...)
- 1xTix core server (planned)
- 1xTix signing server (planned)
- 1x2100 failover, etc, future use
- 1x4200 failover, etc, future use
- 2100/4200 machines have security issues
- all machines are virtualised
- education of sysadms
- give, receive, and transfer of knowledge
- hdl to get access to the TEST system
evaldo to provide access and bring him up to speed
then work with philipp and be ready in 10 days
- dovetails with migration path
IRC
- IRC server is installed, working.
- Await open up in firewall.
AGM
- minutes still to do.
- log is on
- resolution on change of rules was 21+ days
- email was not done to procedure, was too late
- board titles are set up, announced
Assurance
- CATS server DB is populated
- security
ascii code review: this weekend
- deadline to be chosen when testing starts
- PR and acceptance
- Policies
- NRP-DaL onto main website, need to rework to make it more prominent
- do this at same time as the style guide rework.
- CCA draft can go as a new draft, with changes bolded.
- let's show the changes, and then take it to policy.
- still need to verify the FSFE transfer language
- AGM took CCA as a concept
Misc
- Audit
- basic comment is that the NLnet proposal contradicts the CAcert proposal
still to do: make a discussion paper on the options, iang
- Henrik's proposal
- needs to make a proposal
- nobody has permission to do anything with CAcert's name
Evaldo to pick it up with Hendriks, propose Vasco / open source solution as alternate