• Advisory
• AMinutes20080327

Management Sub-Committee status of actions 20080403

Pending action points:

Dispute Resolution

• email list of case managers and arbitrators, no news
• any cases?

  • case Jazbec has had final ruling. GR is case manager.

  • new case on name (Warnat). GR is case manager.
• M-SC asked for CeBIT report, no feedback yet. No cases filed arising from CeBIT.

Assurance

Policy list work

• teus chart is in wiki and svn tree. Wiki updated. Table updated. Need to chase person on the lead of an Office.

• OA, M-SC has taken the lead for OA. Pending in AT 1, US 3, AU 1-2, CH 2, SE 1, IE 1, FR ?.
  • CH is stalled. Teus is chasing got ref from SC.
  • OA AT: sub-pol is in draft. p20080310 is recorded.
  • OA USA: GS, GM + RJ no reactions yet,
  • general COAP init by Sam?
  • AU COAP needs dns record discussion.
  • OA AU: voted on 2st of April.
  • OA IE. SJ initiated similar to OA AU, need extra vote from IE
    • SJ from Ireland

  • feature request for DNS control check? evaldo to chase OAP (main one, not subpol):

  • countries/areas which have no OAs nor a subpol. Proposal to change OA Pol.
    • voted on 1st of April, added to Pol Decisions and svn tree.
    • give it 2 weeks for spelling/typos to appear in formal draft policy.
  • wiki on OA; SJ seems to get on with this.
• how do we check who is an assurer?
  • now CATS passing-marks are in the database is easier
  • overall question still stands for the Assurance process
• privacy/public status of the information in the certificates
  • cert numbers
  • name
  • DPA issue policy discussion: DoB drop request, no clear vote.

    • dropping the DOB and making all cert info as "public" means practically all DPA/PII data disappears. Big win!

    • internal discussions with Sam, M-SC, Philipp on DPA
    • DoB on user initiative?
• code-signing policy
  • TH made proposal to [policy] for basic claims plus optional claims (still to do)
  • code-signers enter into a contract
  • modeled after the Creative Commons concept
  • code signing: proposed signer agreement and signer statements/claims Then policy write up
• Dutch DPA authority statement that it is forbidden to copy passports
  • do all passports copies need to be dropped?
  • what about old Assurers?
  • some very early Assurances were "send photocopy to CAcert Inc" ... what to do?
  • board question is whether the board decides to unilaterally drop their copies and their requirements.

  • Teus announced this decision to policy list:.

    • need to announce to all Assurers to destroy
    • need a dispute filed to ask Arbitrator to order all passports copies to be destroyed. (i) Assurers, (ii) CAcert Inc., (iii) support IMAP mailbox.

  • policy question is whether to delete and drop any and all requirements. Teus.

  • priority is not high, but we need to progress the question
  • add a CATS question, when we have a result
  • related question: Identity Numbers (passport numbers, identity card numbers) were and are being written down on CAPs.

• Tverify ==> subpolicy for other CA's members.

  • Tverify needs subpol to be written, on ToDo.

• TTP
  • need a subpolicy (propose a new policy) proposed
  • due to help request it is proposed. Discussion started.
• Junior Assurer, below 18 years of age
  • need a subpolicy for Junior Assurer
  • there are about 30 or so...
  • 10 points allocatable only.
• Senior Assurer, people who have reached 150 or beyond?
  • need to drag out the wip doco and think about it
• php and wiki list to compile for text changes due to policies
  • new e-mail cert form request php id
  • new certificate request page text
  • translation is an issue
  • translingo is back but still a good idea to move to rosetta?
• trial started for form fields in pdf/OpenOffice : trail on CAcert Inc. forms and COAP forms.
• need PDF/OpenOffice signature features/tooling

CATS

• 2nd sysadmin, has he been added yet?

  • Evaldo: Add Ted.

  • Evaldo is changing the test system, when changed, can bring in new sysadms
  • Current server goes down soon, new server is online.
  • Sonance requests one VM for DNS/mail failover.
  • can over the same in return

• Bernhard has reported: for those interested in such things here is a current status of CATS:

  • 341 different certificates have passed tests (ask Sourcerer how many different users, I'd guess more than 300)
  • Since CeBIT (about 100 tests on CeBIT saturday!) there have been 5-10 passed tests per day
  • I have created about 150 documents for passing the test, including 27 printed ones
  • The passed results are already imported into the CAcert database
  • User interface for viewing passed tests is in code review
  • Admin interface and other related code changes are in (slow) progress

  • The great majority (>90%) of users who have requested a document have been german speaking (DE/AT/CH). Only about 5 non european Assurers (judging from email adresses)...

• need to mention that the Assurers will be chopped off
  • Teus: how many Assurers have 150 points? Ask Philipp.
  • how many Assurers are active today? In the last 6 months?
  • if number of active Assurers (last year) is N, then 25% should have it before we impose a deadline.
  • Ted to chase PR? Ask Ted whether he can ask Greg + Henrik to generate some PR?
• Challenge-passed
  • report over to core system, status of that?

  • iang to chase:

  • implementaton of Challenger-passed mark into the database is pending?
  • teus reminded Philipp. No action yet seen.
  • assurer mark for challenge passed assurers

  • ask sysadmins for this http://bugs.cacert.org/view.php?id=499 is progressing: Current status:

    • Import interface (CATS->CAcert DB): In code review

    • User interface (showing passed tests in CAcert account): Coding with low intensity
    • Admin interface (modifying results): pending

Other

• Assurance promulgation plan
  • main web page has been updated
  • logo is in
  • housestyle adoption is pending, johan says he has access to test system.
• teus wants metadata on the page for the policies.
  • on the todo list
• Changes
  • Principles should be somewhere too

  • these are recorded as task on RolloutCommunityAgreement

Systems work

• new team members
  • Evaldo to present list
  • several prospects for non-critical servers, positive

  • CharlieGarrison

  • Nagy (hungarian)
  • Matthijs M
  • ishbir
  • Jacob S
  • amessina
  • premrara
  • kim H
  • shaun L.
  • thomas w (association member) salzburg
  • Sam J (CISSP, SAGE[-AU,-IE], Google Apps)
• questions (however brief) for 20080326
• proposal for new non-critical members for 26th...
• Philipp has initiated task list on wiki
• establish good cooperation between PG and EG (trial TH)
• seem no cooperation between PG and EG on this. Teus asked PG.
• agreement on 29th by M-SC+pg
• Cachaca project drafted: to be decide:
  • need speed.
  • philipp is back from link protocol
    • need to assess amount of time he has available
  • NL team will need 2 people in sysadm team to meet dual control criteria
  • request for costs is implied
• preparations in Brazil, in "production with test systems"
  • had got close, but disks got reallocated
  • starting again, but this time with documentation
  • doco not yet published
  • should be part of the security manual
• remote work? how to do the reboot remotely?
  • prepare the kvm before flight?
• Plan proposed to board???
  • M-SC decision is to build the team to move the system to Netherlands.
  • Evaldo is to start that team.
  • Philipp is providing the software to Evaldo.

  • incorporate tonight's changes, circulate plan, and then send plan to board. iang

Admin

• Funding
  • from Audit Project?
  • AtC funding needed?
• NL move
  • USB link installed, serial line was also requested by PG. Status?
• chase status of more admins failed with PG.
• create systems committee

  • Evaldo compiles req list For systems sub-committee? We said it is not exactly needed

  • need closed group nomination policy?

  • bounce back ideas and create a proposal to board: all

• link
  • serial not on Suns
  • Spare Tunix firewalls PC has them
  • or use USB, or use Ethernet, device nodes available?
• software
  • decision taken by board sw to go to EG
  • familiarisation with sw is started
  • Some pieces are already sent, missing many pieces still, but probably able to create a working set with the available data already
  • Virtual machine with signer is installed, missing OpenSSL profiles
  • Virtual machine with web application is in progress, missing some bits and pieces
• Support team
  • new member was discussed (problems: not assurered, possible conflict of interest with his work)
  • notify ggr + rob of situation: done, Member not invited.
• admin team: Daniel, Ted, Michael ???
• check OCSP/CRL distr systems (Philipp request)
  • not clear what check is required
  • outline of concerns by Evaldo to M-SC:

    • a CRL distribution point that is NOT UP TO DATE is a big denial of service on revocation (unable to properly revoke and send the message out)

    • a bogus OCSP server can declare legitimate certs revoked, and vice versa

    • Even if we decide to remove a DNS entry for the bad servers, DNS caching might hurt us

  • PG asked for status.

  • iang to talk to Pete S
  • are these critical systems?
    • nothing much on them
    • DOS for revocation checking
    • certificate could be used for a social engineering attack
  • teus chase philipp with questions. Done.
  • OCSP/CRL usage stats: 5000 p/mnth (PG)
  • outage stats OCSP routing: 25 mins/mnth (98% uptime) (PG)
• getting sources up and available
  • good to get the board to finalise the licence under which the source code is to be issued.
  • agreed that CAcert is to own the full rights, as per the FSFE tfr agreement

  • proposal to board to be written up on that basis iang

  • iang to review GPL[23] again

House Style

• new logo is in
• web style has not been incorporated ... (promised first week Febr) to be incorporated.
• No action caused ripple effect for events. New request on 13th of March with one week to results.No success.

• request for access on test system by Johan. Also on 13 March email to support. evaldo to chase. Done.

• advertisement handling (teus: status unknown)
• cert button (teus: status unknown)
• advertisements in wiki pages does not mix well with style (SJ).

wiki

• wiki pages update in progress by M-SC (teus)
  • more people to help for doco
  • now in svn: Doc Policy work-in-progress, early stage, not near to DRAFT

Audit

• workplan for audit work and preparations.
  • MoU with Ian is in place.

  • start real/formal audit requires NL move + dual control

  • preparations
    • policy Assurance Policy
    • press release
  • rollout plan: policy progress
  • where we are now, write statement of where we are
  • look at the report sent to board in around January.
  • rewrite this for up to date comments, plus the needs in the MoU.
    • add bullet that MoU is now in effect, has ramifications
  • timeline, operations.
  • defer discussion until we have had a chance to review the MoU.
  • look for MoU and get it to the SVN.
• security manual. Is on wiki. Seems Pat need better help. Chase PG.
• NLnet-MoU
  • need announcement press release, but defer this until after agreement with auditor is reached
  • RC received first 9K
  • documents now on website
• real audit can only restart when systems are completely moved to NL Need date (Cachaca project and/or PG last trial; GP seems to be stalled on serial/link protocol.
• need link from main web site to audit pages.

Committee meetings

• AGM and board minutes need (board) review

  • iang has now read the minutes, and will review them again!

Assurance Events

• Need CeBIT report (Teus asked twice Jurgen/Mario)

CAcert Associations

• Policy on Foundations and Associations: to be updated
  • introduce it to the policy list
• secure-u commitments, still pending, still under negotiation
• for example, funding earmarked for CAcert should be controlled by CAcert (board notice?)
• if local funding is raised locally how to get properly in control of CAcert?
• finances for meetings
• non-profit issue raised
  • needs a change of CAcert Inc. by-laws
• SGM called on 4th April for Association
  • needs reminder on 1st of April.
  • mail has gone out to members of the Association
  • within 3 weeks so it is enough notice to change the rules
  • is in hand
• board asked M-SC to do the preparations for the AGM
  • date: 20081107 23:00 MET.
• two new applications for membership: PG (nominated?) and SJ (ready to go).

PR / Marketing

• flyers/CAP/COAP, CCA printouts, sources Teus: they are in the svn tree now. Try out for form fields. OOo generates OK PDF. OOo signing OK. PDF signing only from commercial packages.
• presentations in svn tree (inclusive some old ones).
• teus restructured svn tree (from flat to some hierarchy)
• overview of events in wiki needs update. MS!

M-SC finances

• finances for meeting travel
• equipment funding?

end of action points