Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100221

To Brain CAcert Inc. - CAcert.org Members Association - To Brain CAcert Inc. Committee Meeting Agendas & Minutes - last meeting - next meeting

Agenda - Committee Meeting 2010-02-21 - 21:00 UTC

1 Preliminaries

1.1 Chair opens the Committee Meeting
1.2 Accept the Minutes of the last Committee Meeting 20100202
1.3 Progress on agreed ACTION items

Action	Who	Progress
edit secretary alias	Daniel	Completed - now pointing to Mark and cacert-inc list
Blog announcement for new board	Mario	Done
critical team to update http://www.cacert.org/index.php?id=8	Daniel	asked by Martin Gummi completed by Wytze van der Raay
write up Oophanga letter response for President Lambert's signature	Mark
contribute to discussion on Board/Community goals on board email list	ALL
forward letter to board list	Daniel	Done
Just do it! - setting up pr@cacert.org and press@cacert.org to forward to the cacert- board-private list	Daniel	done
Get automatic sending bit on the key persons list that I said I'd do ages ago.	Dan
Pay Ian (old audit debt related) and Oophanga	Mark
Westpac to change to a single signatory to sign payments in accordance with AGM rule change.	Mark
revisit more signatories once current mess is sorted out	Mark
provide Ernie with last bank statement (received 29th Jan)	Mark	done, reports Ernie
lodge finance papers with Office of Fair Trading	Mark	(Dan signed papers for it)
check the old Act for other courses of action (reference recovery of assets)	Ernie	Daniel and Ernie looked couldn't find anything
deliver firmly worded letter to former public officer	Mark
write up 20100202 board minutes	Daniel	Done
Write up AGM minutes	Ian	not as yet attempted, does anyone have the transcript in easy readable form?
AGM rule changes to Office of Fair Trading	Mark
Association rules on svn and wiki	Unallocated
alter board minute template to no longer require ratification of voting items	Daniel	Done
incorporate "1.4 to Agenda Template: publish summary of private list" to board meeting template	Daniel	Done

1.4 Summary of Board Private list since YYYYMMDD

2 Businesses - Important Note: Acceptance of Businesses 48 Hours before beginning of Committee Meeting latest!

2.1 Payment Authorities added by IanG
- payments authorities need to be addressed by board and wished to discuss this (reference to rule changes)

2.2 AGM Resolution - cost of payment facilities - added by AssociationMembers

5.1 Cost of Payment Facilities

It is resolved that we think the transaction costs of paying into the existing facilities (Australian bank account, Paypal) are too high and represent a significant barrier, and we request the committee to investigate alternative payment possibilities, and that they either implement these or report back to the membership on why these are not effective. For example, a SEPA account.

CARRIED as agm20100130.5.1 Aye 23 Naye 10 (Abstain 7)

2.3 Support - added by Iang
1. Propose changes, ex-Iang, Michael as Team Leader.
2. Plan for next few months.
3. notes offered by Iang
2.4 Assurance - added by Iang
1. News from Fosdem 2010 Brussels MiniTOP.
2. Lightning Talk given.
3. Plan for Season.
4. Preparation for CeBIT 2010.
5. Team roles / changes.
6. notes offered by Iang
2.5 Software - added by Iang
1. review progress, next steps
2. 3 issues to report on
  1. ABCs + team leader interviews.
  2. Markus reports on progress in repository project
  3. pending
3. old board's motion on new Software Assessment members.
4. notes offered by Iang
2.6 Sysadm / Critical / Infra - added by Iang
1. status of infrastructure, VM hosting news.
2. teams & growth
3. access team / leader
4. infrastructure team / leader Iang added late, may prefer to defer this to next agenda.
5. incident & recovery functions
6. notes offered by Daniel
7. notes offered by Iang
2.7 Other Issues - Smoke not yet Fire! - added by Iang
1. conflict of interest
2. New Root
3. Funding.
4. Audit work
5. Mission
6. Message: how can you help?
7. Client certs
8. Association Membership composition / Assurers / Fee

3 Question Time
4 Closing
- 4.1 Confirm next Committee Meeting: Saturday of the month, 6th March 21:00 UTC.
- 4.2 Chair closes the Committee Meeting
- 4.3 Preparation of Minutes

Minutes - Committee Meeting 2010-02-21

1 Preliminaries

1.1 Chair opens the Committee Meeting 21:05:42 (Daniel Black)
1.2 Accept the Minutes of the last Committee Meeting 20100202
- accepted by all
1.3 Progress on agreed ACTION items
- Updated as above - No news from Mark so we'll carry these forwards.

2.1 Payment Authorities

payments authorities need to be addressed by board and wished to discuss this (reference to rule changes)
On hold while bank process current authorities

2.2 AGM Resolution - cost of payment facilities

- added by AssociationMembers

5.1 Cost of Payment Facilities

CARRIED as agm20100130.5.1 Aye 23 Naye 10 (Abstain 7)

Ernie - we can't spread [our account money] all over the world
Ernie - see Annual report 2008/2009 for current costs
Lambert - I agree that adding accounts is expensive
Nick - in favor of opening a US account
Daniel - if we incur extra expenses I'd be asking our membership to cover it
Ernie - we need a legal location in where we open accounts (specifically referencing US) (Ian/Nick disagree)
Nick to investigate a US bank account - needs US PO Box which costs about $US 40/year
Daniel - can we have a cacert-eu association (e.g. Oophaga, secure-u in DE, Sonance in Austria) that can wire us money on behalf of joint members when needed? (Ernie/Lambert disagree as to legal viability)
Ernie - we are speaking about 250 transactions per year - average (from memory)
Lambert volunteered to lead investigation

2.3 Support

Added by Iang.

notes offered into minutes by Iang, accepted:
1. *Propose changes*, ex-Iang, Michael as Team Leader.
  - Brief wrap-up: Guillaume resigned as Support t/l late 2009, and the board decided to put Iang in as temporary Support t/l.
  - I spent the next month or two restructuring Support into Triage + Support Engineers, documenting, bringing in approximately 8 new people (4 through ABC), and coordinating our channel to Arbitration Forum. Team now consists of 2 active SEs, Michael and Wolfgang, and 2 active Triage people, Joost and Nik. This is a good team, they are working well together, and they've shown they can solve problems in an effective way, while respecting Security Policy and other critical dox like DRP, CCA.
  - As I move forward, my time becomes less and less available. Rather than promise to redouble my efforts, I think it best to seize the moment and step aside. I've had discussions with the more experienced people, and we've all come to the same conclusion as to what to do next.
  - I therefore propose to Board that Michael Tänzer michael.taenzer@ be appointed team leader of the support term (formally Support Officer within the meaning of Security Policy). Oh, and I offer my resignation as support t/l
2. Plan for next few months: Although plans are always tricky when handing over to a new team leader, here's what I am putting on the table:
  1. continue to recruit new Triage members, assist them in, and upwards to the role of Support Engineer. Comment: although our long run daily requirements are around 2-4 Triage and 2-4 SEs, there are several subtleties about what we have to field this team. Firstly, there is a natural unavailability and drop-out rate. Secondly, many are recruited but choose not to follow through. Thirdly, Arbitration has an intention of recruiting our SEs for the CM role, so we naturally lose our experienced people to other teams. And, this is a good thing overall for CAcert. For these reasons, I think we need more people and continual recruiting.
  2. develop some OTRS training. It is difficult to master, it has a lot of confusing options, and it's a web-application. It seems to be working well, but we need some guidance in the sense of 1,2,3 steps for the new Triage member.
  3. develop enough understanding of our field to write a full Support Challenge under CATS. We have started (40 support questions), but it probably needs a few more months of work to develop more questions (say 100), then a coordinated effort with the Education Forum to roll it into CATS. I want to set this as a necessary step to becoming an SE.
  4. data retention practice. We hold a lot of data, some of it personally sensitive. Werner (our first SE) has started the ball rolling with a post on suggested data purging times. The team has to work through every type of data, every place, decide the times and process, and implement it. This meets a requirement in Security Policy.

2.3.a. Propose changes, ex-Iang, Michael as Team Leader.

Iang signalled that two more SEs are to be proposed but will talk to Michael about this.
Dan asks whether Michael is being proposed for Support Officer. Iang says yes, "Michael has done very well, he wrote the report for the team to the AGM report".
Dan asks for comments on Michael, and for a motion.
Ernie asks for a description of the workflow of the new OTRS system, and whether it complies with Security Policy. Iang says this does not exist, it is point 2.2.b in the notes submitted. Iang confirms it is needed, OTRS is difficult.
(Nick is reminded about the key persons list.)
Ernie asks whether OTRS complies with Security Policy. Iang: comply to SP: the Security Manual needs to list the channels and tools used. there is a potential question as to whether the OTRS should be a critical system (hosted by critical team). I'm not so keen on doing that, but it's a question to ask.
Iang: There is also a question on the table as to whether Triage people should be fully under Security Policy including with respect to ABC. dan: is that a policy group question?
Ernie asks about the Support Challenge. iang: Support Challenge: my vision here is to create a new Challenge alongside the Assurance Challenge.
Ernie asks for a description about the system and security about this system. Iang suggests he will ask the team.
Ernie asks who are the administrators for the OTRS system. Answer from several: Nick and Mario, with Iang (team leader) as "application administrator" within the software package.
Ernie asks who will handle/control access control for roles and permissions. Iang: The SP places critical system team leader in control of access control for critical systems. Lambert: OTRS is part of the infrastructure group? Iang: yes.
Ernie suggests that the system should have different roles/permissions to control who has access to which data, and this needs to be written down, since support has access to private data.
Iang: the fundamental assumption is that the team leader is responsible for managing who has access to the OTRS system. However the team leader's notes are a bit behind in this respect because OTRS is new. The team leader's notes will be updated as I hand the team over to Michael.
dan asks whether OTRS is compliant with SP and SM, and whether there is a plan in place to clarify Triage persons roles under policy?
Iang is unsure whether SP speaks directly to OTRS, as it didn't really comment on the mail system. But will check.
Iang: On Triage, in a debate to the policy group, I outlined how and why I was going forward to add Triage people without them being covered by ABC. There were no objections at the time. However, some have said we need to re-visit that.
Lambert: asks for confirmation that Support Team Leader (incoming or outgoing will update the notes on access. Iang: confirmed. Lambert: thanks.
Nick proposed that Michael be appointed as support team leader and that iang's resignation as support team leader be accepted.
Chair raises the motion again. Lambert seconds. 5 Ayes, one absent. Chair declares the motion carried as m20100222.1.

2.4 Assurance

Added by Iang.

notes offered into minutes by Iang, accepted.
Iang proposes we accept Sebastian's resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! And, I propose we appoint Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy.
Nick seconds, 5 ayes. Iang forgot to say Aye, and added his after the meeting. Motion carried as m20100222.2.
Dan asks what duty the role carries out. Allocation of administrative increases of experience points, Assurance Policy and subsidiary policy work.
Ernie asks if Ulrich is both Event and Assurance Officer. Iang remarks that this was a missing element, and he had intended to propose Walter as Event Officer.
Dan asks whether there is a problem with both, no problem seen.
Iang says he plans to propose something to next board meeting to fill the omission. Dan says, or on the list.

2.5 Software

Added by Iang.

notes offered into minutes by Iang, accepted.
dan comments a lot going on. What is the board business.
iang summarises: do we propose new people into Software Assessment? This complicated question discussed in point 3. Philipp G hasn't the time to build / run the new team, although he has done a good job holding the fort over last 2-3 years.
iang: I don't see right now that we have a clear candidate so to some extent it falls to us as board to fill that role in. Hence, we should appoint new Software Assessment people as and when they are available.
dan: they are the gatekeepers to production system? iang: yes, under SP we need two people to review patches.
ernie: which people? iang: Philipp G is member of the team now, and Markus W is proposed.
Iang proposes, that, Markus Warg, having completed the ABC check, be appointed to Software Assessment team, as documented under Security Policy.
Nick seconds, all in favour. Motion carried as m20100222.3.
no more discussion on other items on agenda, all accepted.

2.6 Sysadm / Critical / Infra

- added by Iang
1. status of infrastructure, VM hosting news. https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00074.html
2. teams & growth -
  - dan's response
  - iang: Was referring to Annual Report of Wytze asking for more team members
3. access team / leader
  - Need to transfer access team and leader to CAcert from Oophanga to be auditable and its what the Security Policy says
  - Bas volunteered to become Access Team leader.
4. infrastructure team / leader Iang added late, may prefer to defer this to next agenda.
  - Deferred to need meeting
5. incident & recovery functions
  1. Daniel - has outstanding action item - to get the key contacts distributed automated
  2. notes offered by Daniel
  3. notes offered by Iang
  4. Few action items around root escrow and recovery discussion on cacert-roots lists

2.7 Other Issues - Smoke not yet Fire!

- added by Iang
1. conflict of interest
2. New Root
3. Funding.
4. Audit work
5. Mission
6. Message: how can you help?
7. Client certs
8. Association Membership composition / Assurers / Fee
- by listing them, we can encourage those who are thinking about the to pick them up. - defer these till later

3.0 Questions from floor

3.1 Questions from floor - CoI / ABC

Ulrich - CoI - I've started this point 'cause there is a problem in this area
1. ABC - this leads to points where CoIs are possible, people aren't aware of it
  1. uli - ABC with a defined set of questions ... the results in a CoI ranking ... the result can be added to the register or not
2. ABC - for other areas - e.g board, arbitrators ?
  1. dan - if arbitrators are not covered by a ABC then i guess its a policy question
  2. dan - as for ABC of the board - its an elected official so I don't this an arbitrator (ABC) can overturn the election of an official (iang notes DR arbitration ruling)
3. procedures on COI
  1. if I had a CoI ... to whom I send this ?
  2. who decides over it ?
    1. iang - Community Principles - "We reveal our conflicts of interest, for the community to judge. "
    2. dan - for team leads i think its fair to report to the board as they were responsible for the appointment and delegation of function
  3. where is the register ?
    1. Lambert- I'd say given the official structure the secretary is the one to create/update the register
    2. iang - Arbitrators agreed, we could combine the registries for convenience
    3. Ernie/Lambert - need data protection here
  1. what is a CoI
    1. Lambert - starting with a list of potential CoI's as guideline might be usefull.
    2. Dan - Association Act defines it for board members and procedures too
4. iang: to be pragmatic about this ... I'm keen to see where the Arbitrators take this. T
5. dan: discussion can continue on a list somewhere. lets close this meeting

3.1 Questions from floor - New Roots

Ulrich: ref: 2.7 d audit work; with the root keys motion ... is there expected to get the audit running before end of this year ?
All have action item to confirm this.

3.1 Questions from floor - Arbitratiors

Ulrich: arbitrators ... we have about 60 open arb cases and we've lost again 2 abritrators to board
so the current working board motion boardmember vs. arbitrator is a blocking factor
we had much arb cases, where arb=boardmember can handle w/o CoI
Iang: (to Dan) put it on the agenda for next meeting to debate this and perhaps overturn the motion?

Action Item Summary

Action	Who	Time ref from transcript
Provide progress on financial lodgement and other post AGM Public Officer duties	Mark	21:13:46
Provide statement of future direction to board list	ALL	21:18:51 / 23:27:28
news on payments, payment facilities, signatories, bank statements	Mark	21:20:21
letter to former public officer	Mark	21:21:53
write up heading of board-private-list from last meeting 20100221 to the prior one	Mario	21:24:12
Find out from US bankers whats required to open an account	Nick	21:36:17
Examine willingness and legalities of using other organisations to provide alternate payment mechanisms	Ian	21:38:22 / 21:46:10
Prepare summary of payment options / investigation for association	Lambert	21:43:41
Access control in OTRS (support system) needs to be defined	TL support	21:58:41
Report on Compliance of OTRS with SP	Ian	22:02:25
Propose Walter (??) as Events Officer as out of band motion	Ian	22:13:35
Triage personell not covered by ABC - revisit on policy list	Ian	21:04:11
Keypersons list, finish the excel spreadsheet and emailing it out	Nick	21:52:02
letter to Oophanga to include access team transfer	Mark	22:32:17
discuss team leadership with access team	Ian	22:34:19
Get key contacts distributed automatically for DR	Daniel	22:49:09
Contribute towards root escrow / recover discussion	ALL	22:49:43
Wikify the proposals and root escrow procedures by 20100228	Daniel	22:51:18
Comment and report on the key escrow proposals by a week after Daniel writes them up	ALL	22:51:52
Write up minutes of 20100221	Nick	22:40:38

Decisions Reached by Motion including Update since last Committee Meeting - Overview

mYYYYMMDD.# - Title of Motion

Meeting Transcript

(log is in GMT+1)

(21:51:56) dan: yawn - gm all
(21:52:13) dan: thanks for the notes iang
(21:52:18) dan: much appreciated.
(21:54:30) law [law@w1712.wlan.rz.tu-bs.de] hat den Raum betreten.
(21:54:34) law: hi
(21:54:51) dan: gm
(21:55:33) ernie: hi everybody
(21:56:03) ernie: dan, which notes?
(21:56:29) dan: the emails on the board list giving more info about the agenda
(21:56:53) ernie: dan, when? I haven't read today afternoon we are out
(21:57:04) dan: ~5hrs ago
(21:57:45) ernie: haven't read - BTW we have agreed 48 hours before the meeting the infos will be given
(21:58:03) law: Have no access to recent mails. My mailserver crashed on saturday morning.
(21:58:39) ernie: that's the reason why we agreed 48 hours before :-)
(21:59:18) iang: hi all
(22:00:06) dan: law: https://lists.cacert.org/wws/arc/cacert-board
(22:00:07) iang: yes, apologies, I saw Dan's mail on Friday but was not able to respond until this afternoon
(22:01:38) iang: what I was doing in the past meetings was pasting in prepared notes in some agenda items into the meeting directly ... so instead this time I posted them in the mails to the board list
(22:02:20) ernie: iang, I prefer wiki - inside to the agenda and link on mailinglist
(22:02:41) ernie: on the mailing-list it's not very structured
(22:03:03) dan: i like it how you've done it iang - makes it a little more available to the community
(22:03:22) ernie: dan, - this also - agree
(22:03:51) ernie: but to follow up the things in mettings it's better also to have it in sturcture - also for the minutes
(22:04:29) dan: i hope you didn't mind me asking - i just read the agenda and had no idea what direction/point of view was being discussed
(22:05:48) iang: i don't mind any questions posted on the lists :) I'm actually uncomfortable with how we do things and would prefer it as you suggest ... but it hasn't really worked in the past, so I adopted another way which was to post the prepared notes into the meeting
(22:06:02) iang: 22:00++ ... who is here?  do we have a chair?
(22:06:29) ernie: iang, so bad it wasn0t working, as long people follow what we have agreed
(22:07:09) dan: ok - i'll chair. lets get going . meeting started ast 22:05
(22:07:14) law: am here. but actually otherwise busy...
(22:07:23) ernie: lambert?
(22:07:33) ernie: mark will not come
(22:07:38) dan: appolgies in from mark
(22:07:56) dan: lambert = Q
(22:08:44) dan: point of order - 4 board members oviously active - calling that a quorum
(22:09:05) dan: 1.2 accept previous minutes? any alterations?
(22:09:05) iang: yes we have a quorum
(22:09:24) dan: any objections?
(22:09:40) Q: Hi all
(22:09:42) iang: I have no objections, move we accept
(22:10:00) dan: aye on accept (hey i wrote them )
(22:10:04) law: aye
(22:10:05) ernie: aye
(22:10:14) iang: and aye
(22:10:25) dan: 1.3 progress on action items
(22:10:40) iang: point of order:  now president is here, do we wish to change the chair?
(22:10:48) Q: Excuses, I have 23.00 in my schedule
(22:10:49) iang: I have no objection to carrying on!
(22:10:56) Q: (Lambert)
(22:11:07) Q: So sorry for being late
(22:11:30) dan: ok - don't know were mark is up to - i did sign the financial lodgement statement.
(22:12:24) dan: mark agreed to write a oophanga letter and i don't think we've given enough of a board direction - lets revist board/community goals on list
(22:12:30) Q: Regarding chair: dan, could you please continue, will pick up next meeting
(22:12:40) dan: ack
(22:12:59) dan: we'll carry th unfinished action items over.
(22:13:04) iang: what is the "financial lodgemeent statement" ?
(22:13:26) dan: lodging to the office of fair trading our balance sheet
(22:13:31) ernie: iang - we have to fill in a duty of the public officer
(22:13:45) ernie: iang, after an agm
(22:13:55) dan: i signed on behalf of the board - its all with mark now.
(22:13:58) ernie: iang, as usual in real life
(22:14:27) iang: ok, but when you say "signed", does the OFT accept it signed by someone other than PO?
(22:14:34) iang: or is this an electronic delivery?
(22:14:44) ernie: iang, yes
(22:14:51) ernie: iang, yes
(22:14:56) dan: it has to be siged by two board members as well. I signed a paper copy
(22:15:13) dan: lets ask mark for the full details later
(22:15:16) iang: ok
(22:15:19) ernie: dan, you can also do electronic-way
(22:15:41) dan: 1.4 - board-private-list summary - can we have a volunteer for that?
(22:16:14) iang: I'm still wondering about this list 1.3
(22:16:20) Q: Dan, questionL what about the Oophaga letter (part of 1.3)
(22:16:37) dan: ok back to 1.3
(22:16:42) iang: do we have any comments from Mark about actions completed?  I have pinged him about it and got an indication that he was busy
(22:16:53) iang: and ...Mark inherited the lion's share here.
(22:17:18) dan: mark was to write something however given it was giving cacert direction and not much has been said about this years goals
(22:17:21) ernie: other point, we haven't spoken last time about the next steps
(22:17:30) iang: ernie: nod
(22:17:42) Q1 [Q@k30092.upc-k.chello.nl] hat den Raum betreten.
(22:17:59) iang: dan above says: "mark agreed to write a oophanga letter and i don't think we've given enough of a board direction - lets revist board/community goals on list"
(22:18:17) Q1: (SORRY, CONNECTION PROBLEM, WHAT DID I MISS?)
(22:18:20) ernie: iang, that is what I'm thining 
(22:18:24) Q1: (sorry for caps)
(22:18:35) iang: I agree with that, I don't think we can do much else.  What I would suggest is that someone copies the annual report comment on "future" and we start from there?
(22:18:49) ernie: iang, a little bit less 
(22:19:08) ernie: we have once to define this steps - and this now - not in six month
(22:19:17) iang: (missing lines sent to Q in private chat)
(22:19:22) Q hat den Raum verlassen (quit: Ping timeout: 180 seconds).
(22:19:43) iang: well, that would be in response to the starting point
(22:20:09) iang: e.g., we copy what was said in the annual report into a mail to board list and then start commenting.  Another possibility is to start a wiki page on it.
(22:20:17) dan: yep good starting point. ACTION all - do last action item - comment on board direction in the next 5 days
(22:20:24) iang: i really don't mind how it is done, just suggesting a way to start
(22:20:36) ernie: iang - prefer wiki - btter to follow up
(22:20:43) iang: ok
(22:20:57) iang: so that's the Oophaga letter.
(22:21:18) dan: the response to them that they send to us last year
(22:21:47) iang: is there any news on payments, payment facilities, signatories, bank statements?
(22:21:59) ernie: mark is not here
(22:22:13) ernie: I haven't heared something
(22:22:22) iang: so, no news.  OK.
(22:22:24) ernie: iang, did he made your payment
(22:22:30) dan: lets get mark to fill out the action item table later.
(22:22:44) iang: actually this I don't know, haven't looked in to the bank account, I've also been remiss on this.
(22:22:46) ernie: statements he sent to me
(22:22:51) dan: any other action item discussions?
(22:22:59) iang: ah so statements are complete.  That's one checkbox.
(22:23:19) iang: yes, one more:  letter to former public officer?  I'm guessing no action?
(22:23:27) iang: s/action/news of action/
(22:23:37) dan: don't know
(22:23:44) dan: lets get mark to fill out the action item table later.
(22:24:21) dan: ok - 1.4 board private summary - do have have a volunteer to do it?
(22:24:32) iang: ok, are we agreed to add the action item table to the procedure?  I'm fine with it, it is very useful.
(22:24:48) dan: if mario's not looking i thinks its fair to voluneer him :-) 
(22:25:14) law: I could write a summary of board-private.. (if i got it right)
(22:25:22) dan: thanks :-)
(22:25:37) law: since when?
(22:25:38) iang: law:  the thing is to add a list of Date/Who/Subject only
(22:25:45) ernie: law - last meeting
(22:25:47) iang: not a summary ... although I don't object if you do :)
(22:26:35) dan: 2.1 - payment authorities  - iang you mentioned this in passing last meeting - i wasn't sure what this was about?
(22:26:53) iang: i'm not sure either, I was hoping you could clarify what that was :-)
(22:27:16) dan: in the text it was 'i'll talk more next board meeting'
(22:27:22) iang: it may be that following the rule change we the board have to formally authorise who in the membership can make a payment
(22:27:31) ernie: we said, we will handle after the bank have done the "old" thing
(22:27:45) ernie: because mark said, bank will be confused
(22:27:45) iang: it also may refer to Paypal, which we've not really discussed in a while.
(22:27:47) dan: we probably covered that last meeting - hope the bank buracrasy works
(22:28:07) Q1: ernie:seems like the right way, first get it solved (the old way", then assign someone
(22:28:10) iang: ah.  so this is the issue of adding more signatories after the bank has finally done its stuff.
(22:28:20) ernie: Q1, agree
(22:28:35) iang: so it  can be deferred to next meeting.
(22:28:42) ernie: iang, we agreed this last meeting 
(22:28:44) dan: ok
(22:28:54) dan: 2.2 agm resolution - cost of payment facilities
(22:29:24) ernie: our costs are not to high
(22:29:33) iang: non-binding resolution asking us the board to look at it.  I wrote this resolution so as to test the community's degree of unhappiness with the current situation.
(22:29:59) iang: ernie:  it is the member's costs ... the paypal and transfer problems
(22:30:01) dan: what do you make of the result: agm20100130.5.1 Aye 23 Naye 10 (Abstain 7) 
(22:30:07) Q1: I guess one of us has to look into it and report back: current cost, cost of alternative.
(22:30:18) ernie: iang, one is always paying the bank-fees
(22:30:19) Q1: Both for CAcert, and for (majority of) members
(22:30:41) ernie: Q1, I wrote already in the annual report
(22:30:45) iang: I would say that many northern hemisphere people would be more comfortable with a regional account.  Paypal works for many, but I note that many members I know ask me to pay
(22:31:14) ernie: iang, we have not so many volumina -
(22:31:18) iang: Q1:  yes.  I'm wondering whether we can also share the task out
(22:31:21) ernie: you cann't split over the world
(22:31:24) Q1: ernie: you already have such an overview?
(22:31:53) ernie: Q1, I wrote already what us costs one transaction - in the report you see the fees for the whole year
(22:31:54) iang: in that ... one way to further test the feeling is to ask the people who are upset to do the research for us.
(22:32:06) iang: board can delegate this task, IMO
(22:32:19) ernie: iang, you dont' agree with the solution we have now - thats my feeling
(22:32:26) ernie: iang, think not 
(22:32:46) iang: well, as a representative of the members, I hear lots who don't like it.
(22:32:54) nb_ [nb@67-207-150-49.slicehost.net] hat den Raum betreten.
(22:32:56) iang: personally I'm fine with it because I have an Australian account.
(22:33:07) ernie: we get payments out of 31 countries - and this you cann't split over the world
(22:33:09) #board-meeting: Modus (+o nb) von nb_
(22:33:11) #board-meeting: Modus (+o iang) von nb_
(22:33:12) iang: and I don't use Paypal.  I sympathise with the complaints
(22:33:13) #board-meeting: Modus (+o ernie) von nb_
(22:33:13) Q1: ernie: you included current cost, did it also include cost of an alternative?
(22:33:17) #board-meeting: Modus (+o dan) von nb_
(22:33:30) #board-meeting: Modus (+o Q1) von nb_
(22:33:43) Q1: ernie: if so, we can use that. I agree that adding accounts is expensive, 
(22:33:52) ***nb_ is only kind of here, have to leave for a special event at church in about a hour
(22:33:59) Q1: ernie: so it's best to address this with numbers
(22:33:59) iang: Sure, but around half of the members are in Europe, and this we can concentrate
(22:34:07) ernie: Q1, the alternatives will costs us not less, but more work - somebody has to collect when we ahve to pay
(22:34:21) ernie: Q1, and we have administrate
(22:34:34) iang: Q1: nod.  I think it is a matter of doing some research.  If it is too expensive, then that's the time to deal with it, when we have numbers on the table.
(22:34:35) ***nb_ would be in favor of opening a US account, although that wouldn't really gain a whole lot since wire transfers are expensive even sending to another US bank
(22:35:13) ernie: other point is, cacert cann't open as cacert all over the world accounts
(22:35:18) Q1: iang: it's my expectation that it will cost a lot (and as such I agree with ernie) but we'll have to "show the numbers"
(22:35:24) ernie: we haven't a location in several countries
(22:35:25) nb_: ernie, why not?
(22:35:30) iang: nb_: that's the sort of comment we need, how much does that cost, and what's the most pan-USA account?
(22:35:44) nb_: iang, my credit union is part of a network of shared branches that go all over the USA
(22:35:45) dan: if we incur extra expences  i'd be asking our membership to cover it/
(22:35:46) nb_: and it is free
(22:35:49) Q1: nb: you need local precense
(22:35:51) nb_: all we would have to pay is for checks
(22:36:09) nb_: no banking fees as long as we don't write over 30 checks a month
(22:36:24) nb_: no fees to us, rather
(22:36:31) iang: hmm... checks are still common in USA?  What is the deposit cost in all the various states?
(22:36:39) dan: how much is an internalional t/fer cost?
(22:36:39) ernie: nb, but we don't have a legal location in us
(22:36:46) Q1: nb: who would be able to provide such info? 
(22:37:02) ernie: dan, depends from the country and bank and which kind of transfer
(22:37:03) iang: i don't think a legal presence is needed to open a bank account in USA
(22:37:07) nb_: iang, i don't either
(22:37:11) iang: but it might have changed in the last few years
(22:37:12) ernie: iang, it is
(22:37:17) iang: dunno, need to check
(22:37:25) iang: ernie: ok, do you know when that changed?
(22:37:33) ernie: iang, as in other countries too if you have an account as cacert
(22:37:43) nb_: ernie, iang Q1 dan does anyone object to me asking one of the bankers for more info?
(22:37:50) Q1: In general, I guess the best way to address this is to come up with an overview, showing what is possible and what not (for instance: an account in a country where we have no legal precense) and the costs of all the alternatives
(22:38:14) iang: nb_:  I agree, research is good.  Q1: yes
(22:38:17) ernie: it is a business-account and not a private account
(22:38:24) dan: nb: by all means get more info
(22:38:45) Q1: Yes, make sure whoever checks is checking for a business account
(22:38:51) ernie: and other point, how easy you could transfer from a business-account USD to an other country
(22:39:10) nb_: we would need a mailing address in the US (which could be provided by a cheap PO Box which costs about $40/year
(22:39:12) dan: do we have a cacert-eu association that can wire us money on behalf of joint  members when needed?
(22:39:30) nb_: and if i, or whoever is in charge of the US side, is no longer involved, mail can be forwarded for a 1 yr period for free
(22:39:33) nb_: to another US address
(22:39:34) ernie: Q1, without legal location in this country!
(22:39:35) iang: dan:  yes, there are 3-4 possibilities
(22:39:48) dan: cool - can you ask them ?
(22:39:48) iang: Oophaga, secure-u in DE, Sonance in Austria
(22:40:11) ernie: iang, ahh - we put on other accoutn our money
(22:40:12) iang: Oophaga:  is something we should put into the letter to them.
(22:40:25) dan: would there be much overlap in membership there?
(22:40:25) iang: Sonance would be amenable to helping out, I think.
(22:40:27) ernie: we have no controll on such accounts what people really paid in there
(22:40:32) iang: Secure-u is somewhat quiet and uncertain.
(22:40:47) ernie: accounts not in our name, are not leagal binding to us
(22:40:53) iang: ernie: right, these are all discussions to be had
(22:41:06) law: secure-u exists. but is kind of inactive - lacking active members i think.
(22:41:14) Q1: Sorry, I have to agree with ernie, we cannot just rely on others to provide financial services, that will be frowned upon
(22:41:15) dan: we'd want them to t/fer to us when memberships are finalised.
(22:41:35) iang: in technical terms there is little difference between Oophaga and Sonance ... they are either very close to CAcert or slightly close to CAcert ... but they are *NOT* CAcert
(22:42:00) iang: Q1: sure.  just answering Dan's question as to what's out there :)
(22:42:32) ernie: Q1, we cann't do this - is no way
(22:42:32) nb_: iang, dan Q1 ernie law I am semi-here right now, must go outside for a minute, will check back in shortly
(22:42:36) dan: just looking for options without an adminstrative or financial impeedance that goes some way to forfilling need
(22:42:37) law: Would a german account be an option? I would get some information then. What AU bank do we actually have, was it westpac?
(22:42:50) dan: yes - westpac
(22:42:58) nb_: FYI credit union I use (and has good business accounts too) is http://www.etfcu.org
(22:43:07) nb_: they are part of the CU Service Centers network which is nationwide
(22:43:16) iang: so ... shall we take it offline and confer when we get more info?
(22:43:23) Q1: This discussion is good, but not getting us answers. Do we have volunteers that can report back next meeting?
(22:43:29) ernie: and we are speaking about 250 transactions per year - average - mhh forgot
(22:43:31) nb_: Q1, yes, i will look into US options
(22:43:55) law: Deutsche Bank has good contracts with westpac I think - at least for withdrawing money with card at westpac.
(22:44:07) dan: ok - nick for us options.
(22:44:14) ernie: law - not really - only transaction bank
(22:44:25) ernie: westpac has only in london
(22:44:27) Q1: Ok, NB to look into US options, law, iang, can you check for european options?
(22:44:56) Q1: We'll then compare with data from ernie, and see what we're missing
(22:45:07) Q1: I volunteer to lead this
(22:45:22) dan: is utilising a third party organisation viable/desirable?
(22:45:30) iang: Q1:  I doubt I can do that so well as others, wrong languages on bank account sites ... but I can help to ask around.
(22:45:41) Q1: That would be part of the discussion 
(22:45:49) Q1: iang: ok
(22:46:05) iang: but I think we've established the basics here
(22:46:06) ernie: dan - how you mean this
(22:46:48) dan: is asking oophaga, secure-u in DE, Sonance in Austria to handle transaction something we even want to consider?
(22:47:36) iang: dan:  we can consider it ... but there are issues to work through.  They might have to be members of the association according to one reading of the rules.
(22:47:39) ernie: dan - no
(22:47:40) Q1: dan: I'd say that is something ernie can look into from a legal point of view
(22:47:49) Q1: I expect this to be an issue
(22:47:53) iang: and there would need to be a contract and reporting as well
(22:47:54) ernie: Q1, I must not look - I know :-)
(22:48:32) dan: ok - that should cover it - few action items there. move on?
(22:48:46) Q1: ok
(22:48:56) dan: 2.3 support - ian
(22:49:13) ernie: iang, you cann't handle with a contract
(22:49:22) iang: I posted the notes here:  https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00070.html
(22:50:11) iang: can we assume them as read into the minutes?  or do I have to bomb the IRC with them :)
(22:50:21) dan: please don't
(22:50:23) Q1: I read them
(22:51:17) dan: thanks for the background / plan. good to see what going on.
(22:51:37) iang: small addition:  add to 2.a, I think I can propose two new SEs, but I think I'll talk to Michael about this, pending 1.
(22:52:05) dan: so you want Micheal T?nzer as team lead/
(22:52:06) dan: ?
(22:52:28) iang: Yes.  I've talked this over with Wolfgang and with Ulrich, and we're agreed on this
(22:52:41) iang: Michael has done very well, he wrote the report for the team to the AGM report
(22:52:55) ernie: reagrsing OTRS - since this system is new - where is description how the workflow from the support is in the system
(22:53:04) ernie: and how does it comply to the SP
(22:53:13) iang: he's also got lots of time over next 2 months as he is a student at Uni
(22:53:28) nb_: RE: Keypersons list, I need to finish the excel spreadsheet i was making and emailing it out
(22:53:36) nb_: i kind of forgot about it, my apologies
(22:53:45) iang: OTRS:  workflow description doesn't exist, this is 2.b
(22:54:24) ernie: support challenge - which kind of challenge
(22:54:25) dan: can we get team lead out of the way first - i'm happy for michael to be tl
(22:54:27) iang: it is very needed in my opinion, I find OTRS hard to get into.  But Michael and others haven't had as much trouble it seems
(22:55:28) iang: comply to SP:  the Security Manual needs to list the channels and tools used.  there is a potential question as to whether the OTRS should be a critical system (hosted by critical team).
(22:55:37) iang: I'm not so keen on doing that, but it's a question to ask.
(22:55:38) dan: anyone want to put comments about michael here? Then put a resolution on the board voting system?
(22:55:39) ernie: iang I'm expecting since we have changed from email to OTRS, that we have a description about the system and security about this system
(22:56:08) iang: There is also a question on the table as to whether Triage people should be fully under Security Policy including with respect to ABC.
(22:56:49) ***nb_ moves the Michael be appointed as support team leader and that iang's resignation as support team leader be accepted
(22:56:51) dan: is that a policy group question?
(22:56:52) iang: ernie:  ok.  we can put that to the team, and provide something
(22:56:52) ernie: iang, who is admin for OTRS
(22:57:02) iang: Nick and Mario are admins for OTRS
(22:57:02) nb_: ernie, law, iang and myself
(22:57:03) nb_: iirc
(22:57:29) ernie: iang, and who will handle accesscontroll 
(22:57:30) law: right. bas stepped back. but have not heard from him anything till then.
(22:57:41) iang: (ok, yes, I have an *application admin* account ... but Nick and Mario have the access to the underlying system I think.)
(22:57:45) ernie: iang, rols and permissions on the system
(22:58:13) nb_: iang, true
(22:58:28) iang: technically, the SP says that critical system team leader is in control of access control I think from memory
(22:58:46) iang: but at the moment, roles and permissions are:  Mario, Nick, myself.
(22:58:56) ***nb_ and law have access to the actual server, and law and iang and I have access to admin features in OTRS (like adding new users)
(22:59:02) nb_: ernie, ^^
(22:59:12) ernie: iang, support has also different rols and permissions - who controlls
(22:59:33) iang: do you mean, who controls the roles and permissions of user accounts?  All SEs have that feature.
(23:00:03) iang: SE== Security Engineer
(23:00:07) ernie: iang, normally you have in a system different rols and permission to controll who has access to which
(23:00:18) Q1: (just verifying: the OTRS is part of CAcert non-critical, right? Not like fiddle.it?)
(23:00:28) ernie: and this must be written down - since at the support also private datas will behandled
(23:00:39) iang: OTRS is a CAcert infrastructure system, yes.  Not a community thing
(23:01:03) ernie: iang, you are wmixing up something OTRS is used to handle support
(23:01:22) ernie: iang, and is not only infrstructure
(23:01:49) iang: i don't follow your question
(23:02:46) iang: there is a basic set of instructions for adding the access for new team members (Triage and SEs) on the team leader's page
(23:02:53) iang: https://wiki.cacert.org/Brain/Support/TeamLeader
(23:03:13) iang: the fundamental assumption is that the team leader is responsible for managing who has access to the OTRS system.
(23:03:49) iang: however the team leader's notes are a bit behind in this respect because OTRS is new.  The team leader's notes will be updated as I hand the team over to Michael.
(23:03:51) dan: is the otrs compliant with SP and SM? is there a plan in place to clarify Triage persons  roles under policy?
(23:04:37) iang: I do not know whether SP speaks directly to OTRS.  It didn't really comment about the mail system ... either way we can look at this and report back.
(23:05:00) dan: sounds good.
(23:05:13) iang: Triage persons:  in a debate to the policy group, I outlined how and why I was going forward to add Triage people without them being covered by ABC.  There were no objections at the time.
(23:05:37) iang: However, some have said we need to re-visit that.  We can do that ... it's on the list somewhere
(23:05:56) dan: thanks.
(23:06:08) dan: any more support question?
(23:06:11) doris [doris@85-127-106-15.dynamic.xdsl-line.inode.at] hat den Raum betreten.
(23:06:48) dan: 2.4 assurance
(23:06:51) nb_: did we vote on the STL appointment
(23:06:51) Q1: iang: do I understand correctly that you (or Michael) will update the notes on access?
(23:06:55) ***nb_ made a motion for it
(23:06:56) iang: Support Challenge:  my vision here is to create a new Challenge alongside the Assuracen challenge.
(23:07:06) iang: Q1: yes we will do that
(23:07:16) Q1: iang: thanks#
(23:07:24) iang: Chair:  I think we still need a motion on the team leader
(23:07:44) dan: ok - is that want nick made a motion for?
(23:07:44) Q1: I second nb's motion
(23:07:45) iang: I second Nick's motion
(23:08:14) iang: perhaps I should abstain as it is about me
(23:08:31) dan: motion: whos' in favour of michael tanzer's appointment as Support TLs?
(23:08:41) dan: aye
(23:08:43) law: aye
(23:08:45) Q1: aye
(23:08:51) dan: iang: i don't think you need to abstain
(23:09:37) nb_: aye
(23:09:45) iang: dan: yes, I know .. I'm not sure what is more anal here, abstaining or voting Aye to my own resignation & replacement :)
(23:09:57) iang: Aye, for happiness and long life
(23:10:06) nb hat den Raum verlassen (quit: Killed (nb_ (nb))).
(23:10:07) nb_ heißt jetzt nb
(23:10:16) #board-meeting: Modus (+o nb) von nb
(23:10:20) dan: ok passed - next item
(23:10:25) #board-meeting: Modus (+o law) von nb
(23:10:26) dan: 3.4 assurance
(23:10:29) dan: 2.4*
(23:10:30) nb: law, sorry, forgot to op you too
(23:10:33) nb_ [nb@delta.bebout.net] hat den Raum betreten.
(23:10:55) dan: this looks more of a community report - which is good. is there board business here?
(23:10:57) iang: my notes offered: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00071.html
(23:11:09) iang: yes, part 5
(23:11:30) dan: ok - thanks for the communtiy report - now 2.4.e.....
(23:11:39) iang: I propose (and move) that we accept Sebastian's resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! And, I propose we appoint Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy. 
(23:11:57) nb: second
(23:11:59) nb: and aye
(23:12:07) Q1: aye
(23:12:07) iang: ah, misnumbered, 2.4.e == part 5 in mail
(23:12:19) dan: aye - 
(23:12:21) ernie: aye
(23:12:32) dan: (though I can't remember what the role includes)
(23:12:52) nb: dan, one duty is requesting the temporary (or permanent) administrative increases of experience points
(23:12:53) law: aye
(23:12:55) u601: dan: AP and policy work
(23:12:58) nb: which iirc we have only used once recently for two people
(23:13:00) iang: Assurance Officer?  basically managing the exceptions, "super" assurance requests, etc.
(23:13:05) ernie: is uli now event and assurance-officer?
(23:13:16) iang: ah.
(23:13:20) iang: darn, good point
(23:13:35) dan: np - was an off hand comment - thansk for the info.
(23:13:44) iang: missing element.  We did lots of talking on this, and we want to propose Walter as Events officer.
(23:13:46) dan: is there a problem being both?
(23:14:09) ***nb sees no problem with being both
(23:14:11) iang: Ulrich is supposed to be resigning as Events Officer
(23:14:23) ernie: dan, not a problem - will only know 
(23:14:48) Q1: see no issue, apart from available time (but Uli seems to have enough :-) )
(23:14:50) iang: ok.  thinking about this.. I haven't written anything up here ... so I'll signal that I'll propose this for next board meeting.
(23:14:54) dan: iang: can postpone that to an out of band motion - i've no objection but no notice was given for it
(23:15:01) iang: dan: correct
(23:15:18) iang: and time is not really at issue here, the people doing the jobs are doing the jobs, and face no real blockages atm
(23:15:34) dan: ok 2.5 software?
(23:16:00) iang: notes by Dan on software:  https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00066.html
(23:16:13) iang: notes by Iang on software: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00074.html
(23:16:47) iang: ooops, wrong notes :-( apologies
(23:16:47) dan: er - those werer the sysadmin ones
(23:17:02) dan: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00073.html by iang
(23:18:10) iang: also a report by Markus: https://lists.cacert.org/wws/arc/cacert-devel/2010-02/msg00010.html
(23:18:55) dan: good - lot going on - good to see Markus making progress.
(23:19:25) dan: board business here?
(23:19:45) iang: Markus is now ABC'd.  Dirk will be done soon (can't promise that, up to Arbitrator)
(23:20:04) iang: question for board is whether we propose these people through as software assessment team members
(23:20:38) iang: this is a complicated question that is discussed in 3. in that post
(23:21:12) iang: basically, Philipp G should be doing this, but he hasn't the time.  I spoke to him today, and he mentioned that he hadn't the time to advance any of these things in the last few weeks.
(23:22:11) iang: the thing that we have to do is build a new software team with a new team leader who is capable of building / running a large, spread, complicated team ... PG isn't really the man for that job
(23:22:23) iang: although he has done a good job holding the fort for the last few years.
(23:22:50) iang: I don't see right now that we have a clear candidate so to some extent it falls to us as board to fill that role in
(23:22:54) Q1: iang: ok, so what is now needed from the board?
(23:23:20) iang: hence I suggest we think about appointing the new Software Assessment people as and when they are available.
(23:23:49) iang: Today, Markus has gone through ABC.  Next few weeks, Dirk.  Others to follow
(23:23:50) dan: assement - so basicly the gatekeepers to the production system?
(23:23:54) ernie: iang, from which people we are speaking here?
(23:24:11) iang: this gets us to the point where PG and Markus can then oversee the patches into the production system.
(23:24:43) iang: people;  Philipp G (now) and Markus W (proposed) as software assessment.
(23:24:53) iang: Under SP we need to have two people to review the code patches
(23:25:12) iang: dan: yes.
(23:26:33) iang: other questions?
(23:27:25) dan: nope - sounds fair that they review patches and pass the to the critical team for deployment
(23:27:33) iang: Motion that Markus Warg, having completed the ABC check, be appointed to Software Assessment team, as documented under Security Policy.
(23:27:38) nb: second
(23:27:39) nb: aye
(23:27:42) Q1: aye
(23:27:42) dan: aye
(23:28:36) ernie: aye
(23:28:44) iang: aye
(23:28:50) law: aye
(23:29:06) dan: ok - next item 2.6 System / Crital /Infra
(23:29:13) dan: Critical*
(23:29:54) dan: a) good status report https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00074.html
(23:30:53) dan: b) teams and  growth
(23:31:20) dan: i've answered my views on list 
(23:31:28) dan: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00066.html
(23:31:44) dan: c) -access team leader
(23:32:00) iang: Wytze wrote in his annual report one line item, to grow the team.  We discussed it briefly afterwards and didn't have a form conclusion.  It could be seen as a general recruiting invitation .. to others like the ATE crowd
(23:32:55) iang: yes, "access team".   this is relatively new business for the board.  Because of Security Policy, the transfer is in place "rules based".
(23:33:28) iang: however in the past it was never really discussed ... probably because of events.
(23:33:43) iang: I would suggest it is something to put into the letter to Oophaga
(23:33:53) ernie: iang, in the past in an other way was worked 
(23:34:19) Q1: iang: please explain? You mean the discussion regarding who's leading the access team?
(23:34:44) iang: and I'd ask them to discuss team leaders.  Bas wrote me privately and volunteered himself .. I'd ask the other team members to agree to that first
(23:35:05) iang: nothing about the Access Team was much discussed in the past.
(23:35:28) iang: The Team was working, and working well, it was one of the first things that Teus set up.  So there was less of a need to discuss.
(23:35:59) iang: when I was reviewing systems in audit visit, I did review the Security Policy with Hans (access team member) and he was very happy with it and confirmed his agreement to me.
(23:36:16) iang: I was planning to do the same with Rudi, Rudi, and Bas, but no opportunity.
(23:36:23) dan: agreement of tl or transfer
(23:36:42) ernie: iang, now we have also at the support a system and not only email,therefore a system more with access-controll
(23:36:53) iang: Note that the access engineer's team did not put a report in ... i think this is because they didn't have a team leader :)
(23:37:36) iang: dan:  don't follow your question?
(23:38:02) dan: ah -nm - misread the comment about Hans' happyness
(23:38:22) dan: its referign to security polity 
(23:38:38) iang: agreement of transfer:  this was discussed by the board ... there were some grumbles about it from Teus.  I don't think he liked it.  But in the end, the policy group voted the SP, and the Board voted at some point to back the Security Policy in full.
(23:39:22) iang: one possibility is that Teus didn't really inform Oophaga board of this.  So something to put in the letter.
(23:40:01) dan: so our SP requires we control our AEs?
(23:40:06) iang: ernie:  not sure what connection you are referring to here.  Support's OTRS is a fairly minor computing system in the scope of things.
(23:40:10) iang: dan: yes
(23:40:28) dirk_g1 [AndChat@89.244.99.55] hat den Raum betreten.
(23:40:44) dan: sounds reasonable.
(23:40:45) iang: Security Policy was written to place all access control under SP section 1.  which goes to audit.  Which means the entirety of Access Engineers is under Audit
(23:40:56) ernie: iang, each system which is handling datas must have a access - controll, sure not the same like crit.system
(23:41:11) iang: so if CAcert outsources the AE team to Oophaga, that insources Oophaga into the audit.  Which is a nuisance.
(23:41:35) Q1: iang: couldn't that be handled by a SLA?
(23:41:49) iang: ernie:  granted, but we covered that in the earlier agenda point.  Support team will look at it, document it and report back to board
(23:42:18) iang: Q1: yes, as long as the SLA specifies the audit conducted on Oophaga, and the CAcert accepts that audit
(23:42:35) Q1: (iang: I guess Oophaga won't be able to offer a SAS70 cert)
(23:42:40) iang: e.g, a SAS70
(23:43:07) iang: (I'm not proposing that ... "e.g." ... what I'm saying is that *something* is needed.)
(23:43:23) iang: (and, as an aside, Mozilla also thinks about that these days as well :) )
(23:43:26) dan: what does oophanga's control of AEs mean to them?
(23:43:39) iang: them == the AEs?
(23:43:53) dan: theamin meaning oophanga
(23:44:03) dan: them meaning oophanga
(23:44:21) iang: If Oophaga is in control of the AEs, Oophaga can order them to go in and do something to the servers.
(23:44:56) iang: which isn't so much of a problem because we have the agreement with Oophaga;  but that agreement isn't really strong enough for a CA and for an audit
(23:44:59) ernie: I think we cann't outsourche this
(23:45:31) ernie: then oophaga is in controll of the crit-sys as a whole
(23:45:38) dan: ok - we'll propose to oophanga that it would aid our audit if we control them
(23:46:00) dan: and probably a heads up to the AEs themselves
(23:46:10) iang: right ... so an early decision was taken in 2007 to outsource this ... but we've essentially re-thought that
(23:46:24) Q1: ernie: correct, you'd need a very strong agreement, one that is backed up by an audit statement, like for instance SAS70
(23:46:43) iang: I can say also ... the concept of Oophaga doing an audit was discussed .... and Teus was not keen on it.  Moving the AEs was by far the most effective thing to do.
(23:46:44) ernie: Q1, and an agreement is a sheet of paper only :-)
(23:46:53) u601 hat den Raum verlassen (quit: Excess Flood).
(23:46:56) Q1: Seems our letter to Oophaga is going to be more and more important
(23:47:30) Q1: ernie: SAS70 is more than just paper
(23:47:31) Uli [u60@p4FDCA0F1.dip.t-dialin.net] hat den Raum betreten.
(23:47:42) ernie: Q1, Ok :-)
(23:47:51) pemmerik hat den Raum verlassen.
(23:47:58) dan: motion: any objections to requesting the insourcing the AEs?
(23:48:07) iang: well, it's already done
(23:48:11) ernie: Q1, but important things you should better controll by yourself
(23:48:20) iang: Security Policy rules them, and therefore they are now under our domain
(23:48:39) dan: ok no disagreeent
(23:48:46) iang: but:  it would be polite to mention this in the letter
(23:48:49) dan: next item?
(23:49:00) dan: 2.6d - defer
(23:49:19) dan: 2.6e incident and recover 
(23:49:20) iang: are we all agreed that we need to ask the Access Engineers for a discussion on the team leader?
(23:49:45) dan: nick indicated earlier he needed to get a list together of contacts.
(23:49:48) iang: also, there is 2.5 / 4.  I'm agreed with deferring that
(23:50:18) iang: ah, right, I'm on the wrong numbers again, sorry
(23:50:29) iang: 2.6d - defer, agreed.
(23:50:35) dan: i need to get the key contacts  distribued automated
(23:51:09) dan: cacert-roots list is kinda discussion root key control  which we should be contributing towards
(23:51:27) iang: dan:  hear hear!
(23:51:30) Q1: dan: what item are we at?
(23:51:37) dan: 2.6e
(23:51:42) iang: incident & recovery functions
(23:52:45) dan: so far there 's been a few proposals on key control.  i'll try to get them wikified this week so they can be compared.
(23:52:55) Q1: good
(23:53:18) dan: how about by the end of the week we all comment on the proposal so far and deliver some feedback to the list
(23:53:47) Q1: dan: you have them wikified by end of the week, and from then on we have a week for comments?
(23:53:57) iang: Dan:  are you referring to this:  https://lists.cacert.org/wws/arc/cacert-root/2010-02/msg00007.html
(23:53:58) ernie: Q1, :-)
(23:54:04) dan: ok - thats probably fair
(23:54:18) iang: ah, ok to your wiki summary.  good
(23:54:23) dan: if that's my email sure 
(23:54:55) dan: (ff 3.6 breaks access to SSL renegioation which broke my access)
(23:55:06) dan: anything else for 2.6.e? ian?
(23:55:26) iang: no, this is fine.  It's important to just read and be aware because big decisions are coming
(23:55:33) Q1: dan: so you summarize/wikify, and from then on we have a week to comment?
(23:55:38) dan: yes
(23:55:45) Q1: ok
(23:55:49) dan: or week from when i finish :-)
(23:56:18) dan: 2.N-1a) - conflicts of interest - iang?
(23:56:53) iang: The AGM's annual report, the voting on motions to change rules, and other discussions has led to several issues.  The ones I have seen are listed in the agenda.
(23:56:53) iang: None of these are "today, must resolve, urgent" but all are import
(23:56:53) iang: ant.  Smoke, but no Fire.  Today.
(23:56:54) iang: My hope is that by listing them, we can encourage those who are thinking about the to pick them up.
(23:56:54) iang: (End)
(23:57:24) Q1: Do we want to go through each item?
(23:57:35) iang: I'm open to anything
(23:57:37) Q1: Maybe just status update?
(23:57:47) iang: but I expect we'll be happy to defer these items
(23:58:22) dan: happy for a deferment here
(23:58:44) Q1: given the time I move we defer
(23:58:57) iang: s/2.N/2.7/
(23:59:24) dan: ok - 3 - question time?
(23:59:36) dan: any questions from the digtal floor?
(23:59:46) Uli: about 2.7 a + 2.d
(23:59:57) dan: yes
(00:00:13) Uli: CoI - I've started this point 'cause there is a problem in this area
(00:00:26) dan: really?
(00:00:50) Uli: started ABC interviews with Ian at fosdem ... this leads to points where CoIs are possible, people aren't aware of it
(00:01:16) Uli: now the problem ... i.e. are Arbitrators also underlaying such a problem ?
(00:01:39) Uli: SP / SM gives only advice for ABC to critical  roles
(00:01:53) Uli: but whats with other areas ?  board, arbitrators ?
(00:02:23) Uli: and how to start a CoI interview / discussion / or what ever else
(00:02:35) Uli: if I had a CoI ... to whom I send this ?
(00:02:42) Uli: who decides over it ?
(00:02:47) Uli: where is the register ?
(00:02:52) Uli: end
(00:03:22) iang: u60:  if you have a CoI, being who?  Association Member?  Arbitrator?  Assurance Officer?
(00:03:23) Q1: Officially only the board has to register CoI, and the secretary has to create a reister
(00:03:25) dan: if arbitrators are not covered by a ABC then i guess its a policy question.
(00:03:33) Uli: Arbitrator
(00:03:46) iang: Arbitrator.  OK, there is nothing in DRP about this ...
(00:03:59) iang: so it falls to the Community, which is covered by Principles.
(00:04:10) iang: I think all it says is "we declare our CoIs."
(00:04:21) Uli: ok, but to whom ?
(00:04:31) iang: :-)
(00:04:37) iang: it doesn't say
(00:04:52) Uli: who decides over a CoI one declares ?
(00:04:53) Q1: I'd say given the official structure the secretary is the one to create/update the register
(00:04:53) dan: as for ABC of the board - its an elected official so I don't this an abitrator can overturn the election of an offical
(00:05:07) iang: "We reveal our conflicts of interest, for the community to judge. "
(00:05:21) Q1: so that's where to declare
(00:05:26) iang: hmmm, so one reading might be that you have to run around and tell each and every member of the community
(00:05:32) iang: might keep you busy for a while :)
(00:06:11) Uli: and whats with CoI's I'm not aware off ?
(00:06:24) dan: for team leads i think its fair to report to the board as they were responsible for the appointment and delegation of function
(00:06:33) Q1: u60: what do you mean?
(00:06:34) Uli: this can be found only by discussion or thru an ABC
(00:06:42) iang: Q1:  that official structure possibly doesn't work for the community, so not the Arbitrators or others
(00:07:08) iang: but I suppose if the Arbitrators agreed, we could combine the registries for convenience
(00:07:13) Q1: iang: we would need some kind of register
(00:07:29) iang: nod.
(00:07:43) Uli: q1: and an official procedure
(00:07:58) Q1: We had two proposals at the AGM, trying to explain in more detail what a CoI entails
(00:08:08) iang: also ... a more important question might be ... who gets to browse through the registry?
(00:08:11) Q1: but both did not pass
(00:08:26) ernie: u60, what you mean with official procedure
(00:08:46) Q1: (iang: yes, big issue: might be in conflict of data protection)
(00:08:53) Uli: as DRP declares the arbitration procedure, a procedure for finding CoI can be established
(00:09:20) iang: dan:  overturning the election of an official, yes ... complicated, but given the rule change to refer all association disputes to our Arbitration ... i'm not so sure
(00:09:37) dan: ok - nick want to write up a procedure
(00:09:55) iang: Q1:  well... our own privacy principles, I would think
(00:09:56) Uli: i.e. interview over people in some areas ...  with a defined set of questions ... the results in a CoI ranking ... the result can be added to the register or not
(00:10:23) dan: or anyone?
(00:10:29) ernie: Q1, data protection is the biggest issue - and who is responsible if something will happen with these datas
(00:10:35) iang: there is this clear tension between:  we are supposed to be a privacy organisation /versus/ we are supposed to be a security organisation ... 
(00:10:55) Q1: versus we're supposed to be open
(00:11:01) iang: that too :-/
(00:11:25) Q1: We've had this discussion in the arbitration team meeting as well
(00:11:54) dan: any opinion from there?
(00:12:00) Q1: I guess starting with a list of potential CoI's as guideline might be usefull.
(00:12:20) Q1: For instance: do you work for a spammer?
(00:12:45) Q1: (sending signed spam emails will be the next step to bypass spam filters)
(00:12:48) Uli: no, but should I ?-)))))
(00:13:06) ernie: Q1, to give guideline is a good idea 
(00:13:25) dan: once you get to lists it becomes all rather involed. i'd be happy with a guideline defination as to what a COI is and its procedure
(00:13:31) iang: Q1:  as against a list of roles ... I put an example matrix on https://wiki.cacert.org/AGM/RuleChange/ConflictOfInterest
(00:14:16) iang: we have at least two firm stakes in the ground:  Security Policy and the new Associations Act
(00:14:35) iang: establishes for the security people, and for the association
(00:15:05) dan: s/association/board/
(00:15:08) Uli: but what's with the others ?  i.e. Arbitrator but no Inc member ?
(00:15:19) dan: our rules define it for the association membership
(00:15:48) iang: so possibly we need to figure out where on the ground Arbitrators exist in that arrangement, and Board directors, in comparison
(00:15:55) iang: dan:  was it board?  ah ok
(00:16:03) dan: the Act - yes
(00:16:14) iang: so there is just a question as to whether we strengthen the CoI regime for board or not.
(00:16:24) ernie: dan, right
(00:16:54) dan: I think the Act is pretty clear for the boaard
(00:17:09) dan: it even defines procedues
(00:17:23) iang: the repeated rumbles (in the sense of frequent rule-change attempts or writings) from the membership indicate that this is a question.
(00:17:28) dan: we do need produres for community TL and association though
(00:17:31) iang: where is the Act clause?
(00:18:10) iang: The Act was fairly clear, yes.  But the Act was written for a footy club, not a CA.
(00:18:50) Q1: exactly. It's not always clear what would constitute a CoI.
(00:19:18) iang: but ... to be pragmatic about this ... I'm keen to see where the Arbitrators take this.  They may be able to act more clearly and easily, before the other parties
(00:19:19) Q1: Because some think it not only includes competitors, but also natsec. 
(00:19:57) Q1: iang: hmm, it was an interesting discussion, but no firm answers yet...
(00:20:42) Q1: Mr. chair: what is the conclusion? Is there an action?
(00:20:58) iang: to some extent the absence of Arbitrators from ABC is historical.  the old Security "practices" were that "core team" where background checked.  And we simply wrote those roles & requirement across as is.
(00:21:25) iang: but Arbitrators were a new development from the post-core-team days ... so never got background checked
(00:21:50) iang: (just a remark ... I'm not proposing ABC for Arbs.)
(00:21:53) Q1: iang: that's because contraire to the support group, the arbitrators basically could do nothing without support (no data access)
(00:22:09) iang: yes ... they had their dual control already.
(00:22:24) Uli: but may have wider power then expected
(00:22:40) Uli: so arb's are also in the focus of public
(00:22:42) Q1: u60: agreed, but otoh everything is in the open
(00:22:47) Uli: and in a sensitive area
(00:22:59) dan: Any board volunteer to write up a COI procedure for board approval?
(00:23:12) Uli: ok, whats with childporn and politicians ?
(00:23:13) iang: personally I don't think we're there yet
(00:23:28) Q1: u60: I don't like either...
(00:23:38) iang: we don't appoint those so we don't need a policy ... I hope :)
(00:23:52) Uli: ;)
(00:24:09) dan: on - uli - you wanted a procedure - lets try to get you one
(00:24:20) dan: s/on/ok/
(00:24:27) iang: I saw a comment on an application form recently:  "Do any of your relatives have a public position or profile?" or some such.
(00:24:50) Uli: as a sidenote ... if we establish a open CoI procedure, this will be visible to the public, and the fear the last boards has, about overhelmed by other commercial CA's maybe banned thru this 
(00:24:50) iang: i guess start a wiki page?
(00:24:56) Q1: What type of job are you applying for?  ;-)
(00:25:14) iang: Q1:  one that would have required a declaration of a conflict ;-)
(00:26:04) Q1: u60: I'm afraid it won't work like that
(00:26:31) iang: well, I think the guidelines is likely public.
(00:26:34) iang: no?
(00:27:16) dan: discussion can continue on a list somewhere.  lets close this meeting
(00:27:29) dan: volunteer to write up minutes?
(00:27:30) Uli: i have 2 more questions !
(00:27:41) Uli: 2.7 d audit work
(00:27:41) dan: i hope they are quick
(00:28:09) Uli: with the root keys motion ... is there expected to get the audit running before end of this year ?
(00:28:53) Uli: last root key ceremony was under auditors view
(00:28:54) dan: that seams to the the implying goal - we've all got an oustranding action item to confirm that
(00:29:00) iang: i don't think the new root key holds us so up on audit
(00:29:17) Uli: ok
(00:29:47) iang: u60: root key ceremony being under audit view is not an audit requirement, generally.  It is actually a rather dangerous thing to require that
(00:29:50) Uli: q2: arbitrators ... we have about 60 open arb cases and we've lost again 2 abritrators to board
(00:30:12) iang: we need new Arbitrators!
(00:30:17) dan: we've all got to define the goal  of the board/communit this week - include what you think about new roots and audit there too.
(00:30:28) iang: dan: point
(00:30:28) dan: last question uli?
(00:30:49) Uli: so the current working board motion boardmember vs. arbitrator is a blocking factor
(00:31:06) Uli: we've discussed this in the arb team ...
(00:31:24) Q1: regarding arbitrators: we're starting to get some of the "standard" disputes solved by using comparable rulings
(00:31:34) Uli: we had much arb cases, where arb=boardmember can handle w/o CoI
(00:31:39) Q1: That will help process more disputes
(00:31:53) dan: the abitration policy already has a COI policy
(00:32:04) dan: i don't think its an isue
(00:32:24) iang: then, put it on the agenda for next meeting to debate this and perhaps overturn the motion?
(00:32:38) dan: sounds like a good resolution
(00:32:38) Uli: from community to get in new arbs is a long time solution ... but we need arbs now ...
(00:33:02) iang: i think there is a tension between Arbitrators working on Arbitration and Board Members working on Board ...
(00:33:21) dan: can the abitration community define their priorities to get more arbitrators?
(00:33:33) Q1: Yes, we will
(00:33:39) Q1: (spoken as DRO)
(00:33:46) Uli: ack
(00:34:29) Uli: 1. arb that are also board members ... be able also doing arb cases that doesn't conflict with board member work
(00:34:49) dan: uli would you like to volunteer to write up the board minutes for today?
(00:34:53) iang: there is a bit of a race between Support and Arbitration to recruit the best members
(00:34:56) Uli: 2. triage -> support -> Case Managers -> Arbitrators   path
(00:35:05) iang: but we consider it a friendly race :)
(00:35:15) Q1: no we don't ;-)
(00:35:40) iang: Q1:  according to the rules that I wrote for the race, Support comes first ... both times ;-)
(00:35:44) Uli: dan: this was my last point ,-)
(00:35:56) iang: Rule #1:  triage -> support -> Case Managers -> Arbitrators  path
(00:36:01) iang: :-D
(00:36:05) dan: i was hoping - thanks for asking.
(00:36:29) dan: meeting closed at 23:34

Original Place Meeting Transcript SVN CAcer.org Website

Inputs & Thoughts

YYYYMMDD-YourName

Text / Your Statements, thoughts and e-mail snippets, Please

YYYYMMDD-YourName

Text / Your Statements, thoughts and e-mail snippets, Please

Category or Categories

CategoryBoardMinutes

Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100221 (last edited 2010-07-20 07:00:13 by SunTzuMelange)