These decisions have been issued to CAcert by External Auditor. Note that many other issues were negotiated and many more issues were dealt with by the Board or the Policy group directly. To a large extent, the below is a historical reconstruction; take these paragraphs as indicative rather than accurate.

ad200805xx Build new critical systems administration team

Old critical team will not be audited. CAcert is to build a totally new systems administration team for the critical systems with no cross-over of personnel.

Because of the repeated events that showed flaws in governance, it was decided that the new team would have to prove itself totally capable without interaction with the older team. The presence of the older team clouded the issue as to whether controls were in place or not.

Major step to meet this was 20080830 when the systems were moved.

ad20070821.1 old roots are AUDIT FAIL

Existing Roots are Audit Fail. Procedures must be established, old roots must be deprecated and replaced with new roots.

At 2007 'Top' the absence of any documentation and history for the old roots was discussed. Board decided to deprecate old keys and cut new keys. Reaffirmed and explained in Community Report 20080902. Responded to by the Roots/NewRootsTaskForce.

ad2007032x.1 Organisation Assurance frozen

Organisation Assurance is frozen until a policy can be written and approved.

At CeBit2007, contradictions emerged in OA that indicated that Board had no control. Policy was written by Advisory meeting Pirmasens 20070818 and approved by the board at September 'top' in time for "Systems" event in Germany. See EmailBoardDecisions m20070822.1 and m20070928.1.

ad20061220.1 Audit is frozen

The audit is frozen while the systems are being migrated to Netherlands.

The audit was thawed somewhat at the September 'top' (see below). Operational phase of audit remained frozen until migration, but policy review could continue.

ad20061200.1 No deals

The CA is to make no deals with other parties. Auditor asserts oversight. Request to Mozilla and others for root ascension is to be frozen.

See 20070226.

This was totally repealed at September 2007 'top'.

m20070919.1: The board declares that it is up to speed and is in charge of CAcert assets and procedures. Auditor now believes that we can resume negotiation with other parties eg. Linux distributions. .... Oversight by the auditor has terminated ...

The CA is to disclaim all liability to all Non-Related Persons.

Responded to by board 20060929 and in effect agreed that


Took final effect with approval of NRP's old D a L in m20070918.1.

Historical notes:

  1. in some early documentation this is referred to as AD1.1

  2. the NRP's old document was withdrawn and replaced by RDL p20100710

Audit/Directives (last edited 2014-06-02 21:44:59 by BenediktHeintel)