Minutes Management Sub-Committee meeting 20080225 10 pm - 1:30 am MET

Present: iang, teus, evaldo
next meeting schedule: 6 March 2008.

Dispute Resolution

emaillist of case managers and arbitraters
- 9 members on the list as arbitrators
- teus + iang as observers
- need to test as is rejecting email posts
ruling of a20071205.1 completed on 21 Febr
any cases?
- one indicated from MS, iang to chase

Assurance

policy list work

teus to give overview of current issues and status.
OA, teus has chasted AT, US, AU,
- JP approached Switzerland but found no-one to help,
  - CH is stalled.
  - Teus is chasing (via AT and CH people)
- M-SC has taken the lead for OA.
- OA AT: PG + PD will do next step
- OA USA: GS, GM + RJ will do next step including Europe+Mexico
- OA AU: RC proposed subpol (added CCA+DNS control check)
  - feature request for DNS control check? evaldo to chase
- OAP (main one, not subpol):
  - countries have no OAs nor a subpol
  - areas that have no OAs around
  - teus suggests that the board then picks that up?
  - teus has mailed to policy group
  - to be debated....
  - teus + iang to check the posts
how do we check who is an assurer?
- (once the CATS passing-marks are in the database this will be easier)
privacy/public status of the information in the certificates
- cert numbers
- name
- need to push this on the policy list
code-signing policy
- TH made proposal to [policy] for basic claims plus optional claims
- code-signers enter into a contract
- modelled after the Creative Commons concept
- need to chase it: Teus
- code signing: proposed signer agreement and signer statements/claims Then policy write up
Dutch DPA authority stated this week that it is forbidden to copy passports
- the complaint originated from US people having their passports copied!??!
- does CAcert follow suit?
- do all passports copies need to be dropped?
- what about old Assurers?
- some very early Assurances were "send photocopy to CAcert Inc" ... what to do?
- then it was migrated to Assurer holds the photocopy.
- Teus needs to announced this decision to us all.
- need to announce to all Assurers to destroy
- need a dispute filed to ask Arbitrator to order all passports copies to be destroyed. (i) Assurers, (ii) CAcert Inc., (iii) support IMAP mailbox.
- policy question is whether to delete and drop any and all requirements. Teus.
- add a CATS question
- related question: Identity Numbers (passport numbers, identity card numbers) are being written down on CAPs.
- 2004: Duane dropped it because of privacy concerns in the US (SSN).
- same timeframe: Duane was very against credit cards being used. Evidence from recent assurances is that credit cards are refused.
Tverify ==> subpolicy for other CA's members.
- Tverify needs subpol to be written.
TTP
- need a subpolicy (propose a new policy) proposed no discussions seen
Junior Assurer, below 18 years of age
- need a subpolicy for Junior Assurer
- there are about 30 or so...
- 10 points allocatable only.
Senior Assurer, people who have reached 150 or beyond?
- need to drag out the wip doco and think about it
need for DOB, proposal to drop DOB from database (i Naye)
- dropping the DOB and making all cert info as "public" means practically all DPA/PII data disappears. Big win!
- make this claim on the policy list...
CCA now linked directly from main page, as is /policy/ thanks to philipp.

CATS

2nd sysadmin, has he been added yet?
- Rodrigo has limited availability right now, so no point in adding him.
- Thinking of another one.
- Evaldo: Add Ted.
Ted statistics
- 98 Assurers now have passed
- ask philipp for what stats are available for Assurers: done
need to mention that the Assurers will be chopped off
- Teus: 98 is not enough
- Evaldo: deadline, we can't say much of anything 1st July.
- nothing on public awareness? Doco resigned, PR is a mess, mkt is quiet.
- Ted to chase PR? Ask Ted.
- how many Assurers are active today? In the last 6 months?
- if number of active Assurers (last year) is N, then 25% should have it before we impose a deadline.
- if the Assurer can do an Assurance, then they can do the CATS Assurer Challenge.
Ted has declared CATS ready for mainstream
- a blog post from henrik done
PR: asked support to add one liner on main web page CAcert
- teus Philipp can be asked .
- Evaldo agrees this is to be urgent.
how to boost the number of Assurers passing the Assurer Challenge?
- reward structure?
- not keen on boost of points
- prefer non monetary reward
- like Pins
  - $1.50 in cost, $0.75 to post in Europe. $1 for US.
  - 250 in stock, 250+100 DE.
  - Pins until stocks run out
  - Pins for next 15 days!
  - no money for postage right now?
  - Send to Ted? (Jens or Teus can send)
  - can Ted ask someone in the US to do the postage?
- teus question to education list, talk to Ted?
Challenge-passed
- report over to core system, status of that?
- iang to chase:
- implementaton of Challenger-passed mark into the database is pending?
- teus reminded Philipp.
- assurer mark for challenge passed assurers
- ask sysadmins for this http://bugs.cacert.org/view.php?id=499 it is the bug that covers this work
paper certs
- the certificate is for "am an Assurer", let's leave this as is for now
Secure-U should pick up postage costs, but not for the immediate future because of startup issues. We wait.

Other

Assurance promulgation plan
- Iang to mail systems & marketing groups.
- chased systems page changes as part of CeBIT feedback
teus wants metadata on the page for the policies.
- has sent email to Philipp
Policy on Policy has gone to POLICY
Changes
- PoP needs to be added into /policy/ .. is this urgent.
- Principles should be somewhere too
- these are recorded as task on RolloutCommunityAgreement
/policy/ is now linked, as is the CCA

Systems

Cachaca project drafted: to be decide:
- time in Nld+Brazil
- can all be prepared in Brazil, in "production with test systems"
- 2-3 days in Austria.
- 1 week doing servers in NL.
- wait to do bugs.
- so we need to set up the team before? (decision?)
- create a list of prospects
- Evaldo: flying to build a team is not viable.
- Iang: need to do action to impress new team.
- M-sc needs to approve the team members for critical systems.
- remote work? how to do the reboot remotely?
- prepare the kvm before flight?
- finding team (at least one person)?
- cost for CAcert work in Brazil is zero, Europe cost is 100's.
- costs can be managed if around weeks
- but Brazil has higher distraction factor.
- crunch decision for Evaldo, can the team be formed.
- before flight, team is formed.
- plan is re-cast.
Finish the plan, propose to board.
- M-SC decision is to build the team to move the system to Netherlands.
- Evaldo is to start that team.
- Philipp is providing the software to Evaldo.
- incorporate tonight's changes, circulate plan, and then send plan to board. iang

Stopped here.

Please read through and pick up rest on chat.

Funding
- from Audit Project?
- AtC funding needed?
NL move
- USB link installed, serial line was also requested by PG
interest of volunteers: JJ (NLnet Labs) proposed, Medison (pending)
- no interest seen: old email from PG with some names. Need to chase.
create systems committee
- Evaldo compiles req list For systems sub-committee? We said it is not exactly needed
- need closed group nomination policy?
- bounce back ideas and create a proposal to board: all
link
- serial not on Suns
- Spare Tunix firewalls PC has them
- or use USB, or use Ethernet, device nodes available?
software
- decision taken by board sw to go to EG
- familiarisation with sw is started
- Some pieces are already sent, missing many pieces still, but probably able to create a working set with the available data already
- Virtual machine with signer is installed, missing OpenSSL profiles
- Virtual machine with web application is in progress, missing some bits and pieces
Support team
- new member was discussed (problems: not assurered, possible conflict of interest with his work)
- notify ggr + rob of situation: done, Member not invited.
admin team: Daniel, Ted, Michael ???
check OCSP/CRL distr systems (Philipp request)
- not clear what check is required
- outline of concerns by Evaldo to M-SC:
  - a CRL distribution point that is NOT UP TO DATE is a big denial of service on revocation (unable to properly revoke and send the message out)
  - a bogus OCSP server can declare legitimate certs revoked, and vice versa
  - Even if we decide to remove a DNS entry for the bad servers, DNS caching might hurt us
- PG asked for status.
- iang to talk to Pete S
- are these critical systems?
  - nothing much on them
  - DOS for revocation checking
  - certificate could be used for a social engineering attack
- teus chase philipp with questions. Done.
- OCSP/CRL usage stats: 5000 p/mnth (PG)
- outage stats OCSP routing: 25 mins/mnth (98% uptime) (PG)
getting sources up and available
- good to get the board to finalise the licence under which the source code is to be issued.
- agreed that CAcert is to own the full rights, as per the FSFE tfr agreement
- proposal to board to be written up on that basis iang
- iang to review GPL[23] again

House Style

new logo & new web style promissed first week Febr to be incorporated. No action caused ripple effect for events.
advertisement handling (teus: status unknown)
cert button (teus: status unknown)

Admin

organigram wait for commuinity comments ends on 1st of March.
- email lists / aliases for offices. Names offices to be sync'd.
overview of decisions taken
- need to be diligent and record the decisions!
- ask Evaldo for additional permissions for all board members to write on the board decisions page: #acl All:read TrustedGroup:read,write teus:read,write correct?
- also a new update on board decisions has been written and sent to Evaldo. Need to chase. Evaldo> where? I do not see it here
tracking system for policy progress?
wiki pages update
- teus to write to Sebastian Documentation Officer. Done, no reply due to CeBIT.
- more people to help
- we need the existing Doc Policy work-in-progress
- especially on the wiki or on the svn

Audit

workplan for auditor, teus
- teus to respond to audit agreement. Draft is finalizing now: dealine 24 Feb.
- start real audit requires NL move + dual control
security manual
- is in progress, received doc on config as was in 2006
- Pat sent email with questions.
NLnet-MoU
- need announcement press release, but defer this until after agreement with auditor is reached
- RC sent bill for first 9K funding
- documents now on website
real audit can only restart when systems are completely moved to NL Need date (Cachaca project and/or PG last trial; GP seems to be stalled on serial/link protocol.

Committee meetings

schedule 3 month period for wrap up decisions taken by email
- meeting scheduled end of Febr
- get email decisions into wiki
AGM minutes need board review is now on wiki
- iang to review

Assurance Events

CeBIT: secure-u received for CeBIT 1k + 5K earmarked for ML (Events coordinator)
CeBIT: flyer in english needs style, content, spelling corrections (too late informed what was going on)
CeBIT: CAP/COAP forms on web page were not updated with logo and CCA statement.
two events in US handled by GS
no budget available for travel/accomodation/entrance for events
no budget available for events. Exemption was CeBIT and Systems.
not much attention for non-German events
ML was chased on the issues

CAcert Associations

policy to be updated
secure-u commitments
funding earmarked for CAcert should be controlled by CAcert (board notice?)
if local funding is raised locally how to get properly in control of CAcert? * finances for meetings

PR / Marketing

flyers/CAP/COAP, CCA printouts, sources

merchandize

spreadshop (shirt ware, cups) initiated via secure-u. Income?
eToken via secure-u. Denied special CAcert subdomain name for this.

M-SC finances

finances for meeting travel
equipment funding?