AuditToDo - CAcert Wiki

Stuff that is Complete is now in Audit/Done. Each item below moves there when complete.

Audit-1 Closure Tasks

List of tasks that I have to finish off to get closure on the audit.

Task	Status	Comment
Recommended list of audit tasks	new board / SGM	A prioritised and named list of tasks as a work programme. This was more or less dominated by board priorities (finance, data prot., infra-hosting) and in detail was not done.
brain dump	new board	done informally with new directors over skype
DRC	server down	bring the DRC browser up to date so the criteria can be considered an accurate record and/or move it to a better platform
Systems	next	document the preliminary findings, next steps. see above, over-swept by board priorities.
Finance & support	...	document all the in-kind and help for the audit process
Cleanup Doco	ongoing	wiki, SVN

This is the list of things that are outstanding following the path of the first DRC Audit:

Task	Who	Status	Blocking	Since	Comment
Assurance Review	Audit	Spring Tour Complete	.	20080712	Review of Assurance was rejected by board, but Minutes of Assurance Mini-TOP preserve the work plan.
Notifications	Board + Wytze	Board has requested	Assurance Review	20070830	notify all Members of CCA. See RolloutCommunityAgreement
Software Changes to Website	Board Software	???	Assurance Review	200806xx	a. NRP-DaL notice on Roots download page. b. add checkboxes "I agree to CCA." to cert creation; c. drop wrong/out-of-date contract text; See RolloutCommunityAgreement
Software	Board (PD)	rebuild	DRC-C	20090520	need to review the Software Development progress
Systems - Disaster Recovery	Board	...	DRC-A	200905xx	pending
Systems - Backups	Board	...	DRC-C	200905xx	pending
Sysadm expansion	wytze	...	survival	20080930	need more sysadms; ideally around 10
Support expansion	support t/l	in progress	...	20080420	close to solved
Security Policy incorporate feedback from review, Application Engineer, Support changes	support t/l, sysadm + policy group	to policy group	...	20090327	taken to DRAFT, some mods needed
Domain / email verification	Board Software	policy decision made	CPS	20081224	needs to implement new p20090105.1 domain/email decision
CCS	m-sc	wip	DRC-A.1	200611xx	Is the key to the audit criteria
Root documentation	Board nrTF	incomplete	DRC-C	20090508	review of roots in visit #1 found lacks in documentation and protection
Test New Roots	Board nrTF	wip	DRC-C	20081129	testing of roots

Things that were either deliberately deferred in last Audit, or are routine and regular.

Task	Who	Status	Blocking	Since	Comment
Assurance Work Plan	Sebasitian (Assurance Officer) and Ulrich	basics in mini-TOP	future audits	20090517	mini-TOP in Munich laid out the basic problems that Assurance has to deal with over next year
Review of WoT Exceptions - OA, SuperA, Code signing TTP, PoJAM, TVerify, ...	authors	only blocking themselves	DRC-C		Some of these are being wound-down so may be scrapped by time Audit gets to them
Assurance Handbook	AO	wip	.	2006-06...	Needs to incorporate all from Assurance Policy (now DRAFT)
CN= for OAs	policy	decided	CPS	20060101	policy decision is that all info is verified; now need to fix CPS
Community Reports	CAcert Inc and/or Audit	wip	next milestone	20071226	Ongoing requirement from NLnet. Last from Audit was June 20090623
3rd Party Vendor Agreement	policy group / AO	early wip	R/L/O	200701..	R/L/O, 3pv-DaL works hand-in-hand with RUA and NRP-DAL. Some discussion going on over at Mozilla.
OrganisationAssurance review	board	deferred	.	20081003	resolve policy questions. Document practices, add verification. Do we need a OrganisationAssuranceManual?
OA root	nrTF	OAP	.	20081003	Create one Assured Organisation subroot.
Member root	nrTF	email/domain checking	.	200801xx	as per DRC. Create one Member subroot.
Webtrust criteria	Auditor	Deferred			Working on DRC only for now, although Board has requested a comment on switching. Also look at ETSI.