This was written early January 2008, but not delivered. It is recorded here as a representation of the current point in time, but should be considered unpublished until 20080320. Previous and Next in series of reports.
a. We held an executive meeting in September (kindly funded by NLnet) and approved the following policies to POLICY status, which means they are complete.
- Dispute Resolution Policy (POLICY)
- Non-Related Persons -- Disclaimer and Licence (POLICY)
- Organisation Assurance Policy (POLICY)
Principles of the Community (this one was approved in principle)
b. At the above meeting, we also approved the following to DRAFT, which means they in effect for the community, but we need a decent period of "last thoughts" before they go to POLICY:
- Policy on Policy (DRAFT) CAcert Community Agreement (DRAFT)
CCA is now POLICY, with Policy on Policy to follow in a month.
c. We have started work on additional policies:
d. CAcert has negotiated to get a Security Manual written.
e. Once the things in c,d are done, the CPS can be filled out, and this will complete the "documents" part of the audit requirements.
With the approval of the above, we have established who is in the Community, and what we owe to each other. This is a big deal, and with these policies, we are well on the way to establishing our risks, liabilities and obligations in a way that has never been done before, at least openly.
What remains to be done: push the agreements through the website, CAP forms, community, systems, etc. That means changes to the website, paperwork, etc. Getting agreements, explaining the meaning... Especially, everyone of you will be asked to agree with this, so as to enter the Community. Have a read of the CAcert Community Agreement.
(At time of writing, it was called the Registered User Agreement.)
NLnet and CAcert have entered into an agreement to provide funding for audit. This is documented here:
Note that this agreement requires CAcert to report to the community roughly every 2 months on how the Audit progress is going.
a. Non-critical systems (blog/wiki/svn/....) were moved to NL center at BIT over last few months.
b. We remain blocked on the critical systems.
c. We do not have enough systems administrators to implement dual control, nor to run all the machines, nor to move the critical systems. Let us know if you can help.
Criteria -- 140 or so of them -- continue to drive the audit. They are being slowly put on line, with some noddy PHP to search them. This will allow us to slice off views of the criteria for each specialist to work on.
6. CATS - Have you done the Assurer Challenge yet?
Saving the best for last, CATS was rolled out for Community use on 2nd January 2008. This testing system operates the Assurer Challenge, and will establish what it means to be an Assurer in a solid, objective fashion. On this statement:
- "all our Assurers have been tested"
we can build what it means to be assured.
CATS also has another significance: it uses certificates for login, and uses the certificate identity to manage its user base. This makes it an excellent test bed for working with our own product; the americans would say, "eating our own dogfood." For this reason CATS is actually a completely separated system, and it also challenges us to understand working with partners, and privacy.