Advisory/AMinutes20071208

Teus, iang. Evaldo by chat.

CAcert formal documents

requirements derive from iang from DRC
ask board to vote on motion: that the security manual be a fully open and published document.
teus to negotiate with Pat in email
- a minimal threat model to be covered
- threat model to include those threats necessary from the DRC requirements
- first thing is to think of an overview of the chapters
- from those chapters, an insight as to who needs to provide input
- in syncronisation with Audit work, iang
- iang to assist in first review
- for operational information, input from philipp is required
timeframe:
- month 1: chapters + insights
- month 3: 1st cut document for review against DRC
- month 4: list of changes from review against DRC, by iang
- month 6: completed SM, incorporating changes.
funding by NLnet allocates 3000 euros for each phase (of 4) for documentation and other CAcert projects. management subcommittee (m-sc) to vote on motion: to allocate a documentation budget of 3000 euros to SM project. So voted on chat. msc20071208.1
negotiate with NLnet to move SM from phase 1 to phase 2 of funding plan
Pat: if you have any comments, please let teus know asap.
Pat reports to management subcommittee (Teus + Evaldo).

CCS svn wip moved to PolicyDrafts/ConfigurationControlSpecification on wiki
documents part to be updated to refer to Policy On Policy
go to board and ask to vote on motion: to create a Systems and Security SubCommittee, as per the CCS
some effort put into CCS but left half-reviewed.

Guillaume to take up the task of guiding the Code-signing policy
looks like the vote to drop the current copy-of-id requirement has met rough consensus
which means code-signing has no other requirement than 100 points
iang suggests that the Assurer Test be a requirement:
- the Assurer Challenge establishes a standard, albeit not the most appropriate standard for code signing
- the Assurer Challenge covers most of the material needed
- the test helps CAcert by bringing in another Assurer
- a customised test for code-signing can then be written in the interim
suggest change the name of CATS to "challenge and training system" so as to make it more generally descriptive

status of suggested changes -- now in the document
- privacy clause
- contributions clause
other minor changes made, and now no pending work to be done
it is moved to the policy group that the document move to POLICY status in one month
Teus has so posted.
questions in CATS -- make a general advisory to the CATS community to check docs & questions
internal PR
- we have to advise the CAcert Community that this new policy is in place
- (as well as the NRP-DaL)
- teus to prepare mail that outlines text of posts
  1. post to the general CAcert maillist
  2. post on blog
mail to go to every registered user from Greg as President one week after above blog & core maillist posts
- philipp to prepare for a general mailshot in 10 days.
- daniel to collect all bounces and/or rejections. Evidence to be collected for potential later action.
translations?
move document onto main website under the name of /policy/CAcertCommunityAgreement.html
prepare the change requests as per CCA1.1. iang to dig out old description

place on website
- linkings to text need to be excessive and frequent
- iang to dig out specification and send to Johan.
internal PR as above
- one line added to CCA mailshot, no more
review of the questions in CATS to reflect and push these new docs

NL move
systems documentation is coming?
- photos have been taken by Ridi ==> to Philipp
- Robert has prepared some diagrams but they may not be representative
security work is on hold until after the move
- security will likely suffer during the move
management, sysadms in the team
- m-sc has voted to bring Oophaga in as systems administrators for team for supporting NL
- Oophaga is now taking on responsibility for systems administration in NL
- Oophaga has approached more sysadms in 3 companies (snw, compata, atcomp)
- decided not to approach user groups.
- m-sc votes on the target: one person per defined service, and one backup-sysadm for each. So voted on chat. msc20071208.2
Software Development:
- michael to be added to team
- philipp agrees, intends to resign as officer
- for the moment there will be no officer for the team
email system
- contact Daniel + Philipp and get some feedback on recent changes
- do we need more people?

actions related to EU requirements
- this may be a job that is too big for Rasika
- need to seek a local team with deeper knowledge in NL law
risks of data controller
- according to the Dutch Act, the data controller has a lot of power
- that power is largely in excess of and breaks our overall security policy
- opens backdoor/internal attack
- can we get legal advice on this?
- can we create a data controller that acts according to CAcert's interests?
- can we limit the power?

actions
- valer, teus + greg to communicate and discuss funding proposal
- adjust phase 1 to be approximately the current status which would be all business policies in DRAFT, approx, plus NL move
- phase 2 to include SM, dual control
acceptance, root cert inclusion
- teus to chase Shane for anglo auditor for sign-off
- rewrite the MoU?
PR over audit: possibility to look in usenix/LISA december meeting

fold PR, House Style, merchandise into one team
- Marketing
create team with Greg, Henriks, Johan
contact with press
- in Germany is done by Henrik
- elsewhere, by Greg? need to ask.
no officer to be appointed for now
decision on entire move: msc20071209.1, teus to take to evaldo over chat.

CATS
- certificate login is of strategic importance to CAcert
- for this reason CATS is to remain separated
- need to find a developer to assist Michelle, HR should look in to it
evaldo (stakeholder of machine) to talk to Michelle, Michael, ascii
- propose to m-sc how the CATS team should progress
Ted accepted the team leadership of the Education team
- teus to ask him for status

has to be pushed...
Dutch SubPol has been proposed,
- a Dutch request for OA is pending
- 2 votes, need another.
Assurance Officer is not appointed
Greg: check the status of US/state SubPol
propose a change to the master Policy to incorporate common elements?

nobody in particular is responsible for the mission, rather it is a collective responsibility
if the mission statement is disagreed, the community can split
the mission must then be agreed by the community
mission on the website is in conflict in itself, etc
after 8th (CCA is POLICY) let's start a discussion on the mission

wiki. So voted on chat. msc20071208.3
- make an "equate" between "board" and "committee"
- Teus and other new board members to be added to wiki BOARD page access ("trusted group") ??
- secretary (Evaldo) to get admin rights on wiki
- appoint more/new wiki administrator(s) to take over wiki
S/MIME rewrite of the arrangement
- create the roadmap of Thunderbird changes
- find some student/other programmer to work on this
- ask NLnet for funding
top meeting review