(Brief) Audit Report for AGM. See also the (long) Report to Community 20081007 on same day, and all other reports.


  1. Systems are moved: new team is working through its milestones.
  2. documentation is now in reasonable shape. Two major shortfalls:
    1. Security Manual.
    2. CPS email/domain checking is a major issue as there has been little forward movement on this, and it is now going to cause problems.


  1. end November:
    1. root creation for top-root and Individual-Assured subroot.
    2. three milestones given to new sysadm time (discuss with Wytze).
    3. introduce sysadm team to Security Manual
  2. December:
    1. Security Manual work-thru
    2. Make a plan for operational review as per DRC-C (depends on 1.b above).
  3. January:
    1. work through the email/domain checking.
    2. perhaps start operational review (2.b and 1.b above).
    3. Move AP to POLICY
    4. start operational review on assurance.
  4. Feb:
    1. if all goes well, think about a limited audit report ==> Mozo.


  1. CPS is partially updated to incorporate a wip Relying Party Statement:

All information in the certificate is Verified.

Certificates are only issued to Members.

Think about that: it is the link between Assurance and Certificates and Reliance, leading on to Disputes. Get that right, and things are solid. Get it wrong and the edifice teeters and totters.

  1. A lot of time has been taken up by the LISA presentation.
  2. Security Manual: some of the experienced are being copied in. I hope to talk to Pat this weekend and get a handover of some form on the SM.


  1. Since 2006, Mozo has now changed track to a dual-path: EV and "non-EV". EV stands for "Extended Validation"
  2. Board prefers to maintain *high standards*. But accepts short-term audit approach of new root going into Mozilla in their "non-EV" track.
  3. Propose limited audit report on Individual Assured Members subroot only. Do the rest later.
  4. Could be proposing this by Feb-April if the operational review goes OK.



  1. fix that CPS bug: email/domain checking
  2. think about how to help the tech side. Easy fixes: Lots of small systems on the non-crit area, or fix some source code.
  3. if you are in the OA area: get some doco out there, and look at those bugs.


See also the (long) Report to Community 20081007 on same day, and all other reports.


Audit/CommunityReport20081007short (last edited 2009-10-11 14:04:46 by UlrichSchroeter)