1. Critical Systems
Critical Systems are now unblocked.
1.1 Migration of Critical Systems
The plan to move the systems worked well, see blog for earlier report. Only minor problems were noted.
- As the systems have undertaken a traumatic move, it is important to make sure the basics are well under control, before adding more complications such as audit. In order to to start the operational audit on the systems, it would seem wise to have the following things under control:
- backups -- taken and tested as recoverable
- passwords+keys -- collected and tested as accessible
- change -- modifications being made to the system
Without these things, or more precisely, without the systems administration team being comfortable with these things, we should wait.
1.2 Control of Critical Systems
- Then, the really big issue is a design for dual control over the critical systems. In discussions with the systems administration team, the following has evolved:
physical access to the signing server involves two administrators present at all times, therefore dual control.
access to the core server is logged via a revision control system, therefore 4 eyes.
- This is a good start. We can improve it over time. Let's work with that for now.
1.3. New Roots
- An attempt to create new roots bogged down on procedures. Clearly, creating a procedure where we are sure that the software is correct, the machines are safe and the randoms are good is not easy.
- Next attempt: 28th November.
1.3. Team Growth
As we know, there is too much work for one person. Also, the principles of security and governance require several people to do and watch the work. In the next few months, the Board and systems administration team will be looking for people to help. There are many small jobs, speak to them.
Important Policy steps are now overtaking the critical systems as the main source of concern.
One CPS bug is now resolved, one remains: email/domain checking.
Notification of the CCA to our Members is critical.
2.1 The CAcert Community Agreement
Important steps with the CAcert Community Agreement are still to be done. Checkboxes to Agreement, CAP forms on the main site, Members not notified.
2.2 The CPS -- Two Issues Being Resolved
Policy group voted that all information in a certificate is Verified, see p20081016. This means a commonName (CN=) could be either checked by some process or Assured. But, either way, there must be a verification of some form.
This problem is now resolved in policy terms; but the details have to be worked out for the case of Organisation CNs, and the CPS needs to be updated to show the solution.
The other "bug" in the CPS remains unresolved -- Domain / Email checking. See Domain and email checking for details. And Previous report. This might not be re-addressed until the new year, as everyone has a full task list until then. However this will slow down some important programmes.
2.3 Other Policy Areas
Reminders for new year: The Assurance Policy, now in binding DRAFT, might be ready for careful review, then voting to POLICY. See here: DRAFT form. The Exceptions: TTP, Super-Assurer, Junior, etc. Coming soon to a Policy debate near you.
Arbitration addressed and dealt with its first important case: closure of an account, and all the difficult questions surrounding this. Basically, data protection says one thing, and the concept of CAs says another. See the Ruling for how that turned out. Arbitration forms an important part of governance because it cleans up the difficult parts left over by Policy. Together they work very well; apart, they struggle alone.
Taking the Security Manual from its current 1st cut form to DRAFT may be the next big emerging challenge.
2.4 Organisation Assurance
Organisation Assurance has recently shown that there are a lot of things that need to be fixed:
- the commonName needs to be documented according to (new) verified policy, as above.
- the relative responsibilities need to be laid out in the OAP: Organisation Assurer, O-Admin, Organisation, and the individuals inside the organisation.
- the suggested feature of automatic certificate populating needs to be documented and tied into the various policy statements: verification, keys security, etc.
- the procedure for doing the OA needs to be documented, in much the same way as the the Assurer's Handbook does it for Individual Assurance.
All the above suggests -- to me -- that the OAP now needs to be revised, and that OA will miss the boat when a first audit report is done, below. At the least, we need the above things documented in order to get a better view.
3. Proposal for Short Term Audit Path
- In the three or so years since Audit work started, things have changed. One difference is the evolution of a tighter Webtrust specification called "Extended Validation." This has shifted Mozilla's posture towards a two-track approach: "EV" and "non-EV".
- The former is a fairly high bar, the latter is a relatively low bar. This has raised the question whether CAcert wants to take the high road or the low road. Discussions with the Board concluded that while it might be OK to pursue the low bar in the short term, CAcert's standards are aimed at the high bar, and beyond.
- The proposal then is that in the short term, we concentrate the audit on the Assured, Individual Members. This would mean: create the root and subroot for Assured Members, audit that offering and service, and deliver an opinion.
- Then, at a later time or in parallel, we would work on and finish the subroot for unassured Members (formerly known as the Class 1 root or the Anonymous root), awaiting the CPS email/domain bug fixing. Also, same for Organisation Assurance (subroot), working on the package identified above.
4. Audit Admin
- Phase 1 of the Audit Funding agreement has now been agreed as complete by NLnet and the Board. This was primarily because of the successful move of the critical systems, a major milestone. Moving to phase 2 brings in 9.000 euros from NLnet, evenly divided between auditor, expenses and work budgets.
This report is presented to the Community, for the Annual General Meeting of the Association, 7th November 2007.
Also note there is a major presentation requested at LISA, 13th November. This will cover the audit's perspective of the history. As audit's job is to look at the critical aspects, and ignore any positive feel-good marketing, this presentation will be highly critical of all; put your hard hats on!
The next 2-monthly report should be around January.