Management Sub-Committee meeting 20080317

Present: teus, evaldo, iang
schedule next meeting: Thursday 27 March 2008

Dispute Resolution

emaillist of case managers and arbitrators, no news
any cases?
- one indicated from MS, iang chased, no action.
CeBIT Jens: any news on whether on-the-spot-arbitrations would have been useful at CeBIT?

Assurance

Policy list work

teus to give overview of current issues and status.
OA, M-SC has taken the lead for OA. Pending in AT 1, US 3, AU 1, CH 2, SE 1
- CH is stalled. Teus is chasing...
- OA AT: sub-pol is in draft. p20080310 should be recorded?
- OA USA: GS, GM + RJ will do next step including Europe+Mexico
- OA AU: RC proposed subpol end discussion 19 March, 20080326 March.
  - AU COAP needs dns record discussion.
  - Evaldo to check the AU subpol
- feature request for DNS control check? evaldo to chase OAP (main one, not subpol):
- countries/areas which have no OAs nor a subpol
  - board agrees to the task
  - teus, guillaume has mailed to policy group
  - policy on OA in "empty" areas proposed 14 March
  - teus + iang to check the posts
how do we check who is an assurer?
- now CATS passing-marks are in the database is easier
- overall question still stands for the Assurance process
privacy/public status of the information in the certificates
- cert numbers
- name
- DPA issue policy discussion: DoB drop request, rumbles on
- DoB is in debate and call for vote to drop DoB in 19th of March
- need for DOB, proposal to drop DOB from database (i Naye, 2 Aye)
  - dropping the DOB and making all cert info as "public" means practically all DPA/PII data disappears. Big win!
  - make this claim on the policy list...
code-signing policy
- TH made proposal to [policy] for basic claims plus optional claims
- code-signers enter into a contract
- modelled after the Creative Commons concept
- need to chase it: Teus still
- code signing: proposed signer agreement and signer statements/claims Then policy write up
Dutch DPA authority statement that it is forbidden to copy passports
- do all passports copies need to be dropped?
- what about old Assurers?
- some very early Assurances were "send photocopy to CAcert Inc" ... what to do?
- Teus announced this decision to policy list:.
  - need to announce to all Assurers to destroy
  - need a dispute filed to ask Arbitrator to order all passports copies to be destroyed. (i) Assurers, (ii) CAcert Inc., (iii) support IMAP mailbox.
- policy question is whether to delete and drop any and all requirements. Teus.
- board question is whether the board decides to unilaterally drop their copies and their requirements.
- priority is not high, but we need to progress the question
- add a CATS question, when we have a result
- related question: Identity Numbers (passport numbers, identity card numbers) were and are being written down on CAPs.
Tverify ==> subpolicy for other CA's members.
- Tverify needs subpol to be written, on ToDo.
TTP
- need a subpolicy (propose a new policy) proposed no discussions seen, on ToDo.
Junior Assurer, below 18 years of age
- need a subpolicy for Junior Assurer
- there are about 30 or so...
- 10 points allocatable only.
Senior Assurer, people who have reached 150 or beyond?
- need to drag out the wip doco and think about it
Policies now linked directly from main page
php and wiki list to compile for text changes due to policies
- new e-mail cert form request php id
- new certificate request page text
- translation is an issue
- translingo is back but still a good idea to move to rosetta?

CATS

2nd sysadmin, has he been added yet?
- Evaldo: Add Ted.
- Evaldo is changing the test system, when changed, can bring in new sysadms
- Current server goes down soon, new server is online.
- Sonance requests one VM for DNS/mail failover.
- can over the same in return
Bernhard has reported: for those interested in such things here is a current status of CATS:
- 341 different certificates have passed tests (ask Sourcerer how many different users, I'd guess more than 300)
- Since CeBIT (about 100 tests on CeBIT saturday!) there have been 5-10 passed tests per day
- I have created about 150 documents for passing the test, including 27 printed ones
- The passed results are already imported into the CAcert database
- User interface for viewing passed tests is in code review
- Admin interface and other related code changes are in (slow) progress
- The great majority (>90%) of users who have requested a document have been german speaking (DE/AT/CH). Only about 5 non european Assurers (judging from email adresses)...
need to mention that the Assurers will be chopped off
- Teus: how many Assurers have 150 points? Ask Philipp.
- how many Assurers are active today? In the last 6 months?
- if number of active Assurers (last year) is N, then 25% should have it before we impose a deadline.
- Ted to chase PR? Ask Ted whether he can ask Greg + Henrik to generate some PR?
Challenge-passed
- report over to core system, status of that?
- iang to chase:
- implementaton of Challenger-passed mark into the database is pending?
- teus reminded Philipp.
- assurer mark for challenge passed assurers
- ask sysadmins for this http://bugs.cacert.org/view.php?id=499 is progressing: Current status:
  - Import interface (CATS->CAcert DB): In code review
  - User interface (showing passed tests in CAcert account): Coding with low intensity
  - Admin interface (modifying results): pending

Other

Assurance promulgation plan
- main web page has been updated
- logo is in
- housestyle adoption is pending, johan needs access to test system, evaldo to chase?
teus wants metadata on the page for the policies.
- on the todo list
Changes
- Principles should be somewhere too
- these are recorded as task on RolloutCommunityAgreement

Systems

new team members
- Evaldo to present list
- several prospects for non-critical servers, positive
- CharlieGarrison
- Nagy (hungarian)
- Matthijs M
- ishbir
- Jacob S
- amessina
- premrara
- kim H
- shaun L.
- thomas w (association member) salzburg
- Sam J (SAGE, google apps)
questions (however brief) for 20080326
proposal for new non-critical members for 26th
agreement on 29th by M-SC+pg
Cachaca project drafted: to be decide:
- need speed.
- philipp is back from link protocol
  - need to assess amount of time he has available
- NL team will need 2 people in sysadm team to meet dual control criteria
- request for costs is implied
preparations in Brazil, in "production with test systems"
- had got close, but disks got reallocated
- starting again, but this time with documentation
- doco not yet published
- should be part of the security manual
remote work? how to do the reboot remotely?
- prepare the kvm before flight?
Plan proposed to board???
- M-SC decision is to build the team to move the system to Netherlands.
- Evaldo is to start that team.
- Philipp is providing the software to Evaldo.
- incorporate tonight's changes, circulate plan, and then send plan to board. iang

Admin

Funding
- from Audit Project?
- AtC funding needed?
NL move
- USB link installed, serial line was also requested by PG
interest of volunteers: JJ (NLnet Labs) proposed, Medison (pending)
- no interest seen: old email from PG with some names. Need to chase.
create systems committee
- Evaldo compiles req list For systems sub-committee? We said it is not exactly needed
- need closed group nomination policy?
- bounce back ideas and create a proposal to board: all
link
- serial not on Suns
- Spare Tunix firewalls PC has them
- or use USB, or use Ethernet, device nodes available?
software
- decision taken by board sw to go to EG
- familiarisation with sw is started
- Some pieces are already sent, missing many pieces still, but probably able to create a working set with the available data already
- Virtual machine with signer is installed, missing OpenSSL profiles
- Virtual machine with web application is in progress, missing some bits and pieces
Support team
- new member was discussed (problems: not assurered, possible conflict of interest with his work)
- notify ggr + rob of situation: done, Member not invited.
admin team: Daniel, Ted, Michael ???
check OCSP/CRL distr systems (Philipp request)
- not clear what check is required
- outline of concerns by Evaldo to M-SC:
  - a CRL distribution point that is NOT UP TO DATE is a big denial of service on revocation (unable to properly revoke and send the message out)
  - a bogus OCSP server can declare legitimate certs revoked, and vice versa
  - Even if we decide to remove a DNS entry for the bad servers, DNS caching might hurt us
- PG asked for status.
- iang to talk to Pete S
- are these critical systems?
  - nothing much on them
  - DOS for revocation checking
  - certificate could be used for a social engineering attack
- teus chase philipp with questions. Done.
- OCSP/CRL usage stats: 5000 p/mnth (PG)
- outage stats OCSP routing: 25 mins/mnth (98% uptime) (PG)
getting sources up and available
- good to get the board to finalise the licence under which the source code is to be issued.
- agreed that CAcert is to own the full rights, as per the FSFE tfr agreement
- proposal to board to be written up on that basis iang
- iang to review GPL[23] again

House Style

new logo is in
web style has not been incorporated ... (promised first week Febr) to be incorporated.
No action caused ripple effect for events. New request on 13th of March with one week to results.
request for access on test system by Johan. Also on 13 March email to support. evaldo to chase
advertisement handling (teus: status unknown)
cert button (teus: status unknown)

Admin

organigram wait for community comments ends on 1st of March.
- Evaldo to review.
- email lists / aliases for offices. Names / offices to be sync'd. Still to do. Wiki needs to be updated.
- leave it as it is for now, pending the systems changes.
progress on tracking system: none found as yet.
wiki pages update in progress by M-SC (!?)
- more people to help for doco
- now in svn: Doc Policy work-in-progress, early stage, not near to DRAFT

Audit

workplan for auditor, teus
- MoU with Ian is in place.
- start real audit requires NL move + dual control
- preparations
  - policy Assurance Policy
  - press release
- rollout plan: policy progress
- where we are now, write statement of where we are
- look at the report sent to board in around January.
- rewrite this for up to date comments, plus the needs in the MoU.
  - add bullet that MoU is now in effect, has ramifications
- timeline, operations.
- defer discussion until we have had a chance to review the MoU.
- look for MoU and get it to the SVN.
security manual
NLnet-MoU
- need announcement press release, but defer this until after agreement with auditor is reached
- RC received first 9K
- documents now on website
real audit can only restart when systems are completely moved to NL Need date (Cachaca project and/or PG last trial; GP seems to be stalled on serial/link protocol.
need link from main web site to audit pages.

Committee meetings

Cmtee met 29th Febr 2008. Minutes and decision list is updated on wiki Board/Minutes/20080229
AGM and board minutes need (board) review
- iang has now read the minutes, and will review them again!

Assurance Events

Need CeBIT report (Jurgen/Mario)

CAcert Associations

Policy on Foundations and Associations: to be updated
- introduce it to the policy list
secure-u commitments, still pending, still under negotiation
for example, funding earmarked for CAcert should be controlled by CAcert (board notice?)
if local funding is raised locally how to get properly in control of CAcert?
finances for meetings
non-profit issue raised
- needs a change of CAcert Inc. by-laws
SGM called on 4th April for Association
- mail has gone out to members of the Association
- within 3 weeks so it is enough notice to change the rules
- is in hand
board asked M-SC to do the preparations for the AGM
- date: 20081107 23:00 MET.

PR / Marketing

flyers/CAP/COAP, CCA printouts, sources
presentations in svn tree
need overview of events in wiki

M-SC finances

finances for meeting travel
equipment funding?