= Minutes Management Sub-Committee meeting 20080225 10 pm - 1:30 am MET = * Present: iang, teus, evaldo * next meeting schedule: 6 March 2008. == Dispute Resolution == * emaillist of case managers and arbitraters * 9 members on the list as arbitrators * teus + iang as observers * '''need to test as is rejecting email posts''' * ruling of a20071205.1 completed on 21 Febr * any cases? * one indicated from MS, '''iang''' to chase == Assurance == === policy list work === * '''teus''' to give overview of current issues and status. * OA, teus has chasted AT, US, AU, * JP approached Switzerland but found no-one to help, * CH is stalled. * Teus is chasing (via AT and CH people) * M-SC has taken the lead for OA. * OA AT: PG + PD will do next step * OA USA: GS, GM + RJ will do next step including Europe+Mexico * OA AU: RC proposed subpol (added CCA+DNS control check) * feature request for DNS control check? '''evaldo''' to chase * OAP (main one, not subpol): * countries have no OAs nor a subpol * areas that have no OAs around * teus suggests that the board then picks that up? * teus has mailed to policy group * to be debated.... * '''teus + iang''' to check the posts * how do we check who is an assurer? * (once the CATS passing-marks are in the database this will be easier) * privacy/public status of the information in the certificates * cert numbers * name * need to push this on the policy list * code-signing policy * TH made proposal to [policy] for basic claims plus optional claims * code-signers enter into a contract * modelled after the Creative Commons concept * need to chase it: '''Teus''' * code signing: proposed signer agreement and signer statements/claims Then policy write up * Dutch DPA authority stated this week that it is forbidden to copy passports * the complaint originated from US people having their passports copied!??! * does CAcert follow suit? * do all passports copies need to be dropped? * what about old Assurers? * some very early Assurances were "send photocopy to CAcert Inc" ... what to do? * then it was migrated to Assurer holds the photocopy. * '''Teus''' needs to announced this decision to us all. * need to announce to all Assurers to destroy * need a dispute filed to ask Arbitrator to order all passports copies to be destroyed. (i) Assurers, (ii) CAcert Inc., (iii) support IMAP mailbox. * policy question is whether to delete and drop any and all requirements. '''Teus'''. * add a CATS question * related question: Identity Numbers (passport numbers, identity card numbers) are being written down on CAPs. * 2004: Duane dropped it because of privacy concerns in the US (SSN). * same timeframe: Duane was very against credit cards being used. Evidence from recent assurances is that credit cards are refused. * Tverify ==> subpolicy for other CA's members. * Tverify needs subpol to be written. * TTP * need a subpolicy (propose a new policy) proposed no discussions seen * Junior Assurer, below 18 years of age * need a subpolicy for Junior Assurer * there are about 30 or so... * 10 points allocatable only. * Senior Assurer, people who have reached 150 or beyond? * need to drag out the wip doco and think about it * need for DOB, proposal to drop DOB from database (i Naye) * dropping the DOB ''and'' making all cert info as "public" means practically all DPA/PII data disappears. Big win! * make this claim on the policy list... * CCA now linked directly from main page, as is /policy/ thanks to philipp. === CATS === * 2nd sysadmin, has he been added yet? * Rodrigo has limited availability right now, so no point in adding him. * Thinking of another one. * '''Evaldo:''' Add Ted. * Ted statistics * 98 Assurers now have passed * ask philipp for what stats are available for Assurers: done * need to mention that the Assurers will be chopped off * Teus: 98 is not enough * Evaldo: deadline, we can't say much of anything 1st July. * nothing on public awareness? Doco resigned, PR is a mess, mkt is quiet. * Ted to chase PR? Ask Ted. * how many Assurers are active today? In the last 6 months? * if number of active Assurers (last year) is N, then 25% should have it before we impose a deadline. * if the Assurer can do an Assurance, then they can do the CATS Assurer Challenge. * Ted has declared CATS ready for mainstream * a blog post from henrik done * PR: asked support to add one liner on main web page CAcert * '''teus''' Philipp can be asked . * Evaldo agrees this is to be urgent. * how to boost the number of Assurers passing the Assurer Challenge? * reward structure? * not keen on boost of points * prefer non monetary reward * like Pins * $1.50 in cost, $0.75 to post in Europe. $1 for US. * 250 in stock, 250+100 DE. * Pins until stocks run out * Pins for next 15 days! * no money for postage right now? * Send to Ted? (Jens or Teus can send) * can Ted ask someone in the US to do the postage? * '''teus''' question to education list, talk to Ted? * Challenge-passed * report over to core system, status of that? * '''iang''' to chase: * implementaton of Challenger-passed mark into the database is pending? * teus reminded Philipp. * assurer mark for challenge passed assurers * ask sysadmins for this [[http://bugs.cacert.org/view.php?id=499]] it is the bug that covers this work * paper certs * the certificate is for "am an Assurer", let's leave this as is for now * Secure-U should pick up postage costs, but not for the immediate future because of startup issues. We wait. === Other === * Assurance promulgation plan * Iang to mail systems & marketing groups. * chased systems page changes as part of CeBIT feedback * teus wants metadata on the page for the policies. * has sent email to Philipp * Policy on Policy has gone to POLICY * Changes * PoP needs to be added into /policy/ .. is this urgent. * Principles should be somewhere too * these are recorded as task on RolloutCommunityAgreement * /policy/ is now linked, as is the CCA == Systems == * Cachaca project drafted: to be decide: * time in Nld+Brazil * can all be prepared in Brazil, in "production with test systems" * 2-3 days in Austria. * 1 week doing servers in NL. * wait to do bugs. * so we need to set up the team before? (decision?) * create a list of prospects * Evaldo: flying to build a team is not viable. * Iang: need to do action to impress new team. * M-sc needs to approve the team members for critical systems. * remote work? how to do the reboot remotely? * prepare the kvm before flight? * finding team (at least one person)? * cost for CAcert work in Brazil is zero, Europe cost is 100's. * costs can be managed if around weeks * but Brazil has higher distraction factor. * crunch decision for Evaldo, can the team be formed. * before flight, team is formed. * plan is re-cast. * Finish the plan, propose to board. * M-SC decision is to build the team to move the system to Netherlands. * Evaldo is to start that team. * Philipp is providing the software to Evaldo. * incorporate tonight's changes, circulate plan, and then send plan to board. '''iang''' ---- = Stopped here. = Please read through and pick up rest on chat. * Funding * from Audit Project? * AtC funding needed? * NL move * USB link installed, serial line was also requested by PG * interest of volunteers: JJ (NLnet Labs) proposed, Medison (pending) * no interest seen: old email from PG with some names. Need to chase. * create systems committee * Evaldo compiles req list '''For systems sub-committee? We said it is not exactly needed''' * need closed group nomination policy? * bounce back ideas and create a proposal to board: '''all''' * link * serial not on Suns * Spare Tunix firewalls PC has them * or use USB, or use Ethernet, device nodes available? * software * decision taken by board sw to go to EG * familiarisation with sw is started * Some pieces are already sent, missing many pieces still, but probably able to create a working set with the available data already * Virtual machine with signer is installed, missing OpenSSL profiles * Virtual machine with web application is in progress, missing some bits and pieces * Support team * new member was discussed (problems: not assurered, possible conflict of interest with his work) * notify ggr + rob of situation: done, Member not invited. * admin team: Daniel, Ted, Michael ??? * check OCSP/CRL distr systems (Philipp request) * not clear what check is required * outline of concerns by Evaldo to M-SC: * '''a CRL distribution point that is NOT UP TO DATE is a big denial of service on revocation (unable to properly revoke and send the message out)''' * '''a bogus OCSP server can declare legitimate certs revoked, and vice versa''' * '''Even if we decide to remove a DNS entry for the bad servers, DNS caching might hurt us''' * PG asked for status. * iang to talk to Pete S * are these critical systems? * nothing much on them * DOS for revocation checking * certificate could be used for a social engineering attack * teus chase philipp with questions. Done. * OCSP/CRL usage stats: 5000 p/mnth (PG) * outage stats OCSP routing: 25 mins/mnth (98% uptime) (PG) * getting sources up and available * good to get the board to finalise the licence under which the source code is to be issued. * agreed that CAcert is to own the full rights, as per the FSFE tfr agreement * proposal to board to be written up on that basis '''iang''' * '''iang''' to review GPL[23] again :( == House Style == * new logo & new web style promissed first week Febr to be incorporated. No action caused ripple effect for events. * advertisement handling (teus: status unknown) * cert button (teus: status unknown) == Admin == * organigram wait for commuinity comments ends on 1st of March. * email lists / aliases for offices. Names offices to be sync'd. * overview of decisions taken * need to be diligent and record the decisions! * '''ask Evaldo for additional permissions for all board members to write on the board decisions page''': #acl All:read TrustedGroup:read,write teus:read,write correct? * also a new update on board decisions has been written and sent to Evaldo. Need to chase. '''Evaldo> where? I do not see it here''' * tracking system for policy progress? * wiki pages update * teus to write to Sebastian Documentation Officer. Done, no reply due to CeBIT. * more people to help * we need the existing Doc Policy work-in-progress * especially on the wiki or on the svn == Audit == * workplan for auditor, teus * teus to respond to audit agreement. Draft is finalizing now: dealine 24 Feb. * start real audit requires '''NL move + dual control''' * security manual * is in progress, received doc on config as was in 2006 * Pat sent email with questions. * NLnet-MoU * need announcement press release, but defer this until after agreement with auditor is reached * RC sent bill for first 9K funding * documents now on website * real audit can only restart when systems are completely moved to NL Need date (Cachaca project and/or PG last trial; GP seems to be stalled on serial/link protocol. == Committee meetings == * schedule 3 month period for wrap up decisions taken by email * meeting scheduled end of Febr * get email decisions into wiki * AGM minutes need board review is now on wiki * '''iang''' to review == Assurance Events == * CeBIT: secure-u received for CeBIT 1k + 5K earmarked for ML (Events coordinator) * CeBIT: flyer in english needs style, content, spelling corrections (too late informed what was going on) * CeBIT: CAP/COAP forms on web page were not updated with logo and CCA statement. * two events in US handled by GS * no budget available for travel/accomodation/entrance for events * no budget available for events. Exemption was CeBIT and Systems. * not much attention for non-German events * ML was chased on the issues == CAcert Associations == * policy to be updated * secure-u commitments * funding earmarked for CAcert should be controlled by CAcert (board notice?) * if local funding is raised locally how to get properly in control of CAcert? * finances for meetings == PR / Marketing == * flyers/CAP/COAP, CCA printouts, sources == merchandize == * spreadshop (shirt ware, cups) initiated via secure-u. Income? * eToken via secure-u. Denied special CAcert subdomain name for this. == M-SC finances == * finances for meeting travel * equipment funding?