Minutes Management Sub-Committee meeting 20080225 10 pm - 1:30 am MET
- Present: iang, teus, evaldo
- next meeting schedule: 6 March 2008.
- emaillist of case managers and arbitraters
- 9 members on the list as arbitrators
- teus + iang as observers
need to test as is rejecting email posts
- ruling of a20071205.1 completed on 21 Febr
- any cases?
one indicated from MS, iang to chase
policy list work
teus to give overview of current issues and status.
- OA, teus has chasted AT, US, AU,
- JP approached Switzerland but found no-one to help,
- CH is stalled.
- Teus is chasing (via AT and CH people)
- M-SC has taken the lead for OA.
- OA AT: PG + PD will do next step
- OA USA: GS, GM + RJ will do next step including Europe+Mexico
- OA AU: RC proposed subpol (added CCA+DNS control check)
feature request for DNS control check? evaldo to chase
- OAP (main one, not subpol):
- countries have no OAs nor a subpol
- areas that have no OAs around
- teus suggests that the board then picks that up?
- teus has mailed to policy group
- to be debated....
teus + iang to check the posts
- JP approached Switzerland but found no-one to help,
- how do we check who is an assurer?
- (once the CATS passing-marks are in the database this will be easier)
- privacy/public status of the information in the certificates
- cert numbers
- need to push this on the policy list
- code-signing policy
- TH made proposal to [policy] for basic claims plus optional claims
- code-signers enter into a contract
- modelled after the Creative Commons concept
need to chase it: Teus
- code signing: proposed signer agreement and signer statements/claims Then policy write up
- Dutch DPA authority stated this week that it is forbidden to copy passports
- the complaint originated from US people having their passports copied!??!
- does CAcert follow suit?
- do all passports copies need to be dropped?
- what about old Assurers?
- some very early Assurances were "send photocopy to CAcert Inc" ... what to do?
- then it was migrated to Assurer holds the photocopy.
Teus needs to announced this decision to us all.
- need to announce to all Assurers to destroy
- need a dispute filed to ask Arbitrator to order all passports copies to be destroyed. (i) Assurers, (ii) CAcert Inc., (iii) support IMAP mailbox.
policy question is whether to delete and drop any and all requirements. Teus.
- add a CATS question
- related question: Identity Numbers (passport numbers, identity card numbers) are being written down on CAPs.
- 2004: Duane dropped it because of privacy concerns in the US (SSN).
- same timeframe: Duane was very against credit cards being used. Evidence from recent assurances is that credit cards are refused.
Tverify ==> subpolicy for other CA's members.
- Tverify needs subpol to be written.
- need a subpolicy (propose a new policy) proposed no discussions seen
- Junior Assurer, below 18 years of age
- need a subpolicy for Junior Assurer
- there are about 30 or so...
- 10 points allocatable only.
- Senior Assurer, people who have reached 150 or beyond?
- need to drag out the wip doco and think about it
- need for DOB, proposal to drop DOB from database (i Naye)
dropping the DOB and making all cert info as "public" means practically all DPA/PII data disappears. Big win!
- make this claim on the policy list...
- CCA now linked directly from main page, as is /policy/ thanks to philipp.
- 2nd sysadmin, has he been added yet?
- Rodrigo has limited availability right now, so no point in adding him.
- Thinking of another one.
Evaldo: Add Ted.
- Ted statistics
- 98 Assurers now have passed
- ask philipp for what stats are available for Assurers: done
- need to mention that the Assurers will be chopped off
- Teus: 98 is not enough
- Evaldo: deadline, we can't say much of anything 1st July.
- nothing on public awareness? Doco resigned, PR is a mess, mkt is quiet.
- Ted to chase PR? Ask Ted.
- how many Assurers are active today? In the last 6 months?
- if number of active Assurers (last year) is N, then 25% should have it before we impose a deadline.
- if the Assurer can do an Assurance, then they can do the CATS Assurer Challenge.
- Ted has declared CATS ready for mainstream
- a blog post from henrik done
- PR: asked support to add one liner on main web page CAcert
teus Philipp can be asked .
- Evaldo agrees this is to be urgent.
- how to boost the number of Assurers passing the Assurer Challenge?
- reward structure?
- not keen on boost of points
- prefer non monetary reward
- like Pins
- $1.50 in cost, $0.75 to post in Europe. $1 for US.
- 250 in stock, 250+100 DE.
- Pins until stocks run out
- Pins for next 15 days!
- no money for postage right now?
- Send to Ted? (Jens or Teus can send)
- can Ted ask someone in the US to do the postage?
teus question to education list, talk to Ted?
- report over to core system, status of that?
iang to chase:
- implementaton of Challenger-passed mark into the database is pending?
- teus reminded Philipp.
- assurer mark for challenge passed assurers
ask sysadmins for this http://bugs.cacert.org/view.php?id=499 it is the bug that covers this work
- paper certs
- the certificate is for "am an Assurer", let's leave this as is for now
- Secure-U should pick up postage costs, but not for the immediate future because of startup issues. We wait.
- Assurance promulgation plan
Iang to mail systems & marketing groups.
- chased systems page changes as part of CeBIT feedback
- teus wants metadata on the page for the policies.
- has sent email to Philipp
- Policy on Policy has gone to POLICY
- PoP needs to be added into /policy/ .. is this urgent.
- Principles should be somewhere too
these are recorded as task on RolloutCommunityAgreement
- /policy/ is now linked, as is the CCA
- Cachaca project drafted: to be decide:
- time in Nld+Brazil
- can all be prepared in Brazil, in "production with test systems"
- 2-3 days in Austria.
- 1 week doing servers in NL.
- wait to do bugs.
- so we need to set up the team before? (decision?)
- create a list of prospects
- Evaldo: flying to build a team is not viable.
- Iang: need to do action to impress new team.
- M-sc needs to approve the team members for critical systems.
- remote work? how to do the reboot remotely?
- prepare the kvm before flight?
- finding team (at least one person)?
- cost for CAcert work in Brazil is zero, Europe cost is 100's.
- costs can be managed if around weeks
- but Brazil has higher distraction factor.
- crunch decision for Evaldo, can the team be formed.
- before flight, team is formed.
- plan is re-cast.
- Finish the plan, propose to board.
- M-SC decision is to build the team to move the system to Netherlands.
- Evaldo is to start that team.
- Philipp is providing the software to Evaldo.
incorporate tonight's changes, circulate plan, and then send plan to board. iang
Please read through and pick up rest on chat.
- from Audit Project?
- AtC funding needed?
- NL move
- USB link installed, serial line was also requested by PG
- interest of volunteers: JJ (NLnet Labs) proposed, Medison (pending)
- no interest seen: old email from PG with some names. Need to chase.
- create systems committee
Evaldo compiles req list For systems sub-committee? We said it is not exactly needed
- need closed group nomination policy?
bounce back ideas and create a proposal to board: all
- serial not on Suns
- Spare Tunix firewalls PC has them
- or use USB, or use Ethernet, device nodes available?
- decision taken by board sw to go to EG
- familiarisation with sw is started
- Some pieces are already sent, missing many pieces still, but probably able to create a working set with the available data already
- Virtual machine with signer is installed, missing OpenSSL profiles
- Virtual machine with web application is in progress, missing some bits and pieces
- Support team
- new member was discussed (problems: not assurered, possible conflict of interest with his work)
- notify ggr + rob of situation: done, Member not invited.
- admin team: Daniel, Ted, Michael ???
- check OCSP/CRL distr systems (Philipp request)
- not clear what check is required
- outline of concerns by Evaldo to M-SC:
a CRL distribution point that is NOT UP TO DATE is a big denial of service on revocation (unable to properly revoke and send the message out)
a bogus OCSP server can declare legitimate certs revoked, and vice versa
Even if we decide to remove a DNS entry for the bad servers, DNS caching might hurt us
- PG asked for status.
- iang to talk to Pete S
- are these critical systems?
- nothing much on them
- DOS for revocation checking
- certificate could be used for a social engineering attack
- teus chase philipp with questions. Done.
- OCSP/CRL usage stats: 5000 p/mnth (PG)
- outage stats OCSP routing: 25 mins/mnth (98% uptime) (PG)
- getting sources up and available
- good to get the board to finalise the licence under which the source code is to be issued.
- agreed that CAcert is to own the full rights, as per the FSFE tfr agreement
proposal to board to be written up on that basis iang
iang to review GPL again
new logo & new web style promissed first week Febr to be incorporated. No action caused ripple effect for events.
- advertisement handling (teus: status unknown)
- cert button (teus: status unknown)
- organigram wait for commuinity comments ends on 1st of March.
- email lists / aliases for offices. Names offices to be sync'd.
- overview of decisions taken
- need to be diligent and record the decisions!
ask Evaldo for additional permissions for all board members to write on the board decisions page: #acl All:read TrustedGroup:read,write teus:read,write correct?
also a new update on board decisions has been written and sent to Evaldo. Need to chase. Evaldo> where? I do not see it here
- tracking system for policy progress?
- wiki pages update
- teus to write to Sebastian Documentation Officer. Done, no reply due to CeBIT.
- more people to help
- we need the existing Doc Policy work-in-progress
- especially on the wiki or on the svn
- workplan for auditor, teus
- teus to respond to audit agreement. Draft is finalizing now: dealine 24 Feb.
start real audit requires NL move + dual control
- security manual
- is in progress, received doc on config as was in 2006
- Pat sent email with questions.
- need announcement press release, but defer this until after agreement with auditor is reached
- RC sent bill for first 9K funding
- documents now on website
- real audit can only restart when systems are completely moved to NL Need date (Cachaca project and/or PG last trial; GP seems to be stalled on serial/link protocol.
- schedule 3 month period for wrap up decisions taken by email
- meeting scheduled end of Febr
- get email decisions into wiki
- AGM minutes need board review is now on wiki
iang to review
- CeBIT: secure-u received for CeBIT 1k + 5K earmarked for ML (Events coordinator)
- CeBIT: flyer in english needs style, content, spelling corrections (too late informed what was going on)
- CeBIT: CAP/COAP forms on web page were not updated with logo and CCA statement.
- two events in US handled by GS
- no budget available for travel/accomodation/entrance for events
- no budget available for events. Exemption was CeBIT and Systems.
- not much attention for non-German events
- ML was chased on the issues
- policy to be updated
- secure-u commitments
- funding earmarked for CAcert should be controlled by CAcert (board notice?)
- if local funding is raised locally how to get properly in control of CAcert? * finances for meetings
PR / Marketing
- flyers/CAP/COAP, CCA printouts, sources
- spreadshop (shirt ware, cups) initiated via secure-u. Income?
- eToken via secure-u. Denied special CAcert subdomain name for this.
- finances for meeting travel
- equipment funding?