Committee Meeting 2010-04-03
The meeting will take place at 22:00 UTC in the IRC channel #board-meeting on the CAcert IRC network.
Feel free to add a business within the acceptance period or your question to the board below.
- Summary of cacert-board-private list since 2010321 and reason for privacy
- Update action items below
Outstanding From 2010-02-02
contribute to discussion on Board/Community goals on board email list
Get automatic sending bit on the key persons list that I said I'd do ages ago.
waiting on Nick to deliver list
First payment received. Second paid 20100321 - received(?)
Pay Ian (old audit debt related)
Paid + received.
Westpac to change to a single signatory to sign payments in accordance with AGM rule change.
on hold, practically status quo tho
revisit more signatories once current mess is sorted out
Write up AGM minutes
Association rules on wiki
Outstanding From 2010-02-21
Find out from US bankers whats required to open an account
Prepare summary of payment options / investigation for association
progress - not complete
Propose Walter as Events Officer as out of band motion
added to agenda + m20100327.1 in progress
Triage personnel not covered by ABC - revisit on policy list
Keypersons list, finish the excel spreadsheet and emailing it out
discuss team leadership with access team
Contribute towards root escrow / recover discussion
Comment and discuss COI procedures
Outstanding From 2010-03-06
Board/Community Goals - get an overview
Board/Community Goals - come up with one or two items to look at and then to decide a priority and a timeline
Board/Community Goals - 6-12 month position statement
Status report of current projects
Status report of current officers
OTRS updates (clarity needed here)
Install Meetbot for next IRC meeting
Email list (members) about US banking options
Outstanding From 2010-03-21
Create dual signing server escrow method
Create motion for deciding on a escrow method
deferred - waiting for review. This action not decided properly
Review escrow methods and decide
Review second Oophaga letter
Lambert and Nick
Informal contact via email with Oophaga
Informal talks with Oophaga
- Chair opens the Committee Meeting
- Who is making minutes?
Businesses Important Note: Acceptance of Businesses 48 Hours before beginning of Committee Meeting latest!
- Send Oophaga letter #2 out by Daniel Black
- Letter #1 was incomplete
- Informal notification should have been done (action items)
- lets put both these letters into the public svn.cacert.org repository too
How to deal with rule 23(B)3 - board private list summary/justifications by Iang
23(B)(1) The committee must, except as provided in this rule, cause any and all business transacted by it to be published on the association's website.
23(B)(2) The committee may, by its own motion, close its deliberations to the public, restrict access to any document, or do any other thing as necessary for the proper administration of the association.
- Is the board private list a closed deliberation?
- Do we need a motion to endorse it?
23(B)(3) In the event of the use of rule 23B(2), the committee must record and publicly disclose the reasons for its decision.
- proposal motion "The board will close deliberations to the cacert-board-private list for draft correspondence on behalf of the board."
- proposal motion "The board will close deliberations to the cacert-board-private list for matters relating to the performance assessment of appointed staff or proposed staff."
- anything else?
- Is the current mix of summary/rational sufficient for (3)?
- Is a simpler meeting of these requirements possible?
Iang in the light of 23(B)(1) it would be tough to argue for any blanket decision without being flagrant.
- Officially Vacate position of Organisational Assurance Officer by Daniel Black
- Remove Officer Positions
- House Style Officer added by Daniel Black
- no major work - discussed on cacert-board-private in amongst officer work
- Daniel agrees too
- Remove Organisation Assurance Officer
- remove the position since it is only a Assurance Officer/Manager delegated role
Iang ask AO and OAs what their advice is here. Org AO is not a light title like others. Someone is needed here.
- Daniel: I'm happy to keep this - just wanting to give it a review and validate its current need.
- House Style Officer added by Daniel Black
- Removal of Officer title to more friendly community name added by Daniel/Ernie
- Inline with principle that "Officer" is a little too loaded for a community organisation.
Policy Officer rename to Policy Editor to be move inline with community spirit and IETF process on which the policy list is based.
Iang Editor is a term already used in the context of one policy.
- getting closer to the spirit of the IETF isn't a good thing, necessarily. The things so far taken from IETF is the terminology (were useful) and the idea of rough consensus.
- There has never been an appointed PO. It seems to be bike-shed painting to rename the title.
- See comment below. Any futzing with policy will be seen with the dimmest view by the Auditor. Officer is a well defined term, someone who takes on a responsibility.
Rename Assurance Officer to Assurance Manager
- Rename Organisation Assurance Officer to Organisation Assurance Manager
Rename EducationOfficer to Education Manager
Rename DocumentationOfficer to Document Manger or Document Coordinator
- Daniel's preference - Document Coordinator
Iang this is a concern. Officer is a serious title, and it can be used to indicate seriousness especially for security or for audit. Agreed that house style doesn't need it; but Assurance Officer has a cachet that means something.
- It has been commented that teams should choose their own leader / title. Also, actions mean more than words.
- Policy Officer/Editor added by Daniel Black
Appoint entire board to role to ensure policy edits can take place and provide an avenue for the community to contribute trivial changes and get them fixed. This will help us select/appoint someone later.
Iang Appoint entire board makes no sense. As executive, the board already has responsibilities that are not appointed, and making up "appointments" looks like handing out candy & lollies.
- Recent events do not support this, and confidence is an issue.
- The same problem undermined the last board meeting's comments on Policy; making up processes on the fly led to unfounded conclusions.
Suggest: the Board is minded not to appoint a policy officer at this time. At least that's clear, factual and defendable.
- Any other change in Officers list? added by Daniel Black
- We are sure DRC will be still accepted from Mozilla how it is / Review the DRC criteria. added by Ernie
Could we ask Mozilla for a preliminary ruling? ( http://www.mozilla.org/projects/security/certs/policy/ #12 )
Certificate issuing for CAcert Inc. added by Mario
- Remove Evaldo Gardenali, Guillaume Romagny, Philipp Gühring ?
- Add Daniel Black (Infrastructure) ?
- Add Michael Tänzer (Support) ?
- Comment by Dan: What ongoing need does Support have? Good enough as a third person though
- Add (Critical Admin or other)?
- Wytze recommends against critical admins having more privileges.
- critical domains should be under SP
Why was the cacert-root list removed? by Iang
Iang: This post does not argue for removing a list. It argues instead that the proposals of the project are still not complete. Perhaps it is too subtle or it didn't say it, but the solution is not to move the debate from the list to the Board meeting to the policy group.
Iang: wouldn't inviting Laura onto the list of concern been a better solution than interpolating that policy group was "better interested" ?
- no change to URL, same as above.
Stefano Mazzocchi - All you wanted to know about Open Development community building but didn't know who to ask (2006) p200 in slides on list management
- If there is a point to make in this URL, please summarise.
- The root project is substantially complicated. It is not a "policy" project, especially because policy group has already spoken. The last team input their thoughts into the policy perspective in a reasonable fashion. It is entirely clear that there will be new thoughts to insert into policy group's output in due course, but this is a long way from making it "policy business."
- IMHO, trying to do this project on policy group will slow it down, and annoy policy readers. IMHO
Security Policy by Daniel Black
- I suggest we examine this closely the following sections and discuss on the policy list. These it affects the new root planning and legal matters. Not for discussion now.
- Root key management
- SP9.2.3. Recovery - specifies arbitration control - Is board control a better option?
- SP9.2.4. Revocation of root (and subroot?) is blank. Board control here?
Security Policy 9.3.2 Response to external (legal) inquiry added by ernie
- Add "Requirement that each person in the chain in a situation like this (the served party, the arbitrator, etc) should have a positive obligation to inform the board the moment they become aware" - as suggested from Mark
Iang it is reasonable to assume that by this weekend, the Security Policy will be vetoed. Therefore there is no Security Policy, and all the above may change its character.
- Right - reworded to account for this (dan)
- Send Oophaga letter #2 out by Daniel Black
Question Time Important Note: Questions from CAcert.org Community Members can be added until beginning of Committee Meeting! As well questions can be asked at "Question Time", without added Question here
Question One added by Your Name Comment: Replace "Question One" by Your Question and add your Name
- et cetera
Present: Lambert, Dan, Ernie, Mark, Iang, Mario.
22:03 Lambert takes the chair and opens the meeting. Chair asks for volunteers for minutes, none provided. After discussion, a schedule or rotation is decided upon. So far, Dan, Mark, Mario have done minutes. Chair asks Iang and Ernie to of the next minutes, in turn. Iang accepts.
Mark questions where approval of the last minutes is on agenda. Some discussion as to whether they can be approved outside the meeting. Mario mentions that some items in the Agenda could be dealt with before-hand, the Agenda is "quite huge."
Discussion moved to the last minutes. Mark says that a part does not accurately reflect the meeting. Business Item 4 is comments of individual members, not the points of agreement. Mark suggests replacing the comments with "No conclusion reached, deferred."
Discussion on whether to resolve this now, or defer minutes approval to next week. Iang notes that his complaint has been sent, and abstains from the discussion. Dan and Mario prefer not to discuss the text now, Mark prefers to resolve now. Lambert moves that the minutes be changed as per Mark's suggestion. Carried as procedural vote.
Chair introduces Action Items and asks each in turn if there are any to be discussed. None have any.
2.1 - Oophaga letter
22:21 Chair moves on to Business Item #1 - Oophaga letter. Daniel has the floor, reports the task has not progressed for lack of time. Lambert insists on reviewing it before it goes out. Daniel to get it out as most have reviewed it, and will put a final draft onto private list in a few days time so Lambert can review by Wednesday.
Mario asks whether informal discussions have started. Mark also. Lambert reports he should meet them soon at NLUUG. Mario and Lambert agreed to discuss off-line. Lambert summaries: " law and I will discuss, provide feedback to you, make informal contact. I will provide feedback to board regarding letter, and will publish our letter "
The previous letter has apparently not been published, but should be (conclusion not clear).
ACTION: Daniel to prepare final letter, Lambert and Mario to instigate informal contact
2.2 - How to deal with Rule 23(B)
22:30 Chair moves to next: Rule 23(B). Iang summarizes that " rule 23(B) requires the Board to conduct business in the open. But at our election we may close business and notify the community of our reasons. This is somewhat at odds with the private list. In some sense, we can't have a private chat list under 23(B)"
Mark, as author of the rule change, explains: " the rule, as I drafted it, refers to 'all business transacted' for a specific reason, so as to exclude input and discussion as being necessarily made public. The business we transact is actual decisions, consensuses, actions, etc, [and] not discussions, and certainly not input from others outside the board by default. So, for instance, many of the threads on the private list are started by non-board members... someone forwards something to bring to our attention, and decides on their own it's suitable for the private list. "
Both agree that the term business is crystallised by an agenda item, and discussions related to that should be included.
The discussion then moved to what things could be discussed without them becoming "business." Lambert mentions strategic discussions, mark mentions private chats about an upcoming agenda item. Iang reminds of the SGM 2009. Iang analogises with the finance world, where all is escrowed.
Mark claims that third party emails to a private list have an expectation of privacy. Lambert, Mario, Ernie agree. Iang does not: if the mail is clearly business, then why is it private? And, sending a mail establishes no contract (expectation). Mark: sending to cacert-board-private, with no public archives, supports the expectation of privacy.
Dan comments that Mark can lead the discussion on to Members.
Lambert draws from the expectation and proposes that any deemed "non-private" emails should be responded to as "this is not private, will not be treated as such." Iang mentions that if one person expects more than another, errors occur, and/or work slows down.
Mark: we cannot disclose everything. Every note, every chat. "my rule change was designed to require the publishing of communications surrounding board decisions. my opinion is that once an item is on the agenda, or a motion created, or an action taken as the board, then it's public from there on out."
Mark sees a presumption of privacy, but it's rebuttable. Iang: does not subscribe to a presumption of privacy, because is too busy, has led to abuse. Mark sees it as a courtesy. Iang agrees with that. Dan too.
ACTION: Mark to propose to the Members list an opening statement on the implementation of Rule 23(B).
2.3 - Officially Vacate position of Organisational Assurance Officer
22:56 Chair moves to Organisation Assurance Officer.
Daniel states this carries on from last meeting. The purpose is to make sure the people are doing some work.
Iang: it is unclear who has it now, and may be harder to help when the position is filled. Sam or Greg are mentioned. Pings were sent, no responses.
Lambert moves that " we declare the position vacant, since we've heard nothing for more that three months. " Iang seconds, unanimous. Chair declares the motion carried as m20100404.2.
2.4 - Remove Officer Positions
23:02 Chair moves to next business, whether to remove positions.
Dan reports ping sent to listed House Style Officer, no response.
Discussion on the necessity of this role. Ernie: Someone is needed to prepare templates. There is a style guide. Iang: Work was done by Johans, but unable to get attention of Software team. Mario: the work can be done by Community, no position is needed. It would be nice to have, we can add it later, when someone is doing it.
Discussion, leads to consensus that the work can be done in the Community, no role needed. Lambert moves that, " we remove the House Style Officer role. " Mark seconds, unanimous. Chair declares motion carried as m20100404.1.
Next: Organisation Assurance Officer. Mario: there is activity in Switzerland and Germany. Iang mentions we need a team. Mark mentions wider input, especially the OAs. Also, policy creates this role, and therefore policy group is the place to discuss. Mario: OA requests without country OAs go to the Officer.
Chair summarises: "The role cannot be removed, is part of policy, and we need this, it is big task. (however, currently we have no one)."
2.5 - Removal of Officer Title
23:16 Chair moves on to "Officer" item.
Dan: " it seems to me that officer implies they are setting the direction. This isn't really a common term in community organisations like ours. while some positions have responsibility i think there's more social harm which the board is responsible for. " Ernie: people see Officer as a "closed" term. Team leader is clearer, working within and for the team. Dan: Officer is seen as militaristic, authoritarian.
Mark claims two flaws: " [firstly,] we do not have the authority to rename most of them, because they are created by policy, and [secondly] this is arguing about what colour to paint the bikeshed. " The first is a point of order, if we don't have the authority.
Iang: some policies have evolved to designate officers, not all. " Where the policies feed up to audit, there is a sense of responsibility that can benefit from a serious title like Officer. However, SP did not follow that path, preferring to use the term "team leader" perhaps signalling the more technical nature. "
Chair summarises: " current titles imply things (authority?) that might not be there, and some of us feel this is holding members back. However, we as board cannot change titles, must be done in policy group. " Consensus appeared to be established on this approach.
2.6 - policy officer/editor
23:31 Chair moves to next.
Dan: " this appointment proposal was based on a few people interest in doing trivial editing - I was hoping to fill it at least temporally so this could occur. since then I've seen no trivial edit proposals." lambert mentions two tasks of the Policy Officer, being summarizing and writing the ideas of the policy group, and trivial editing.
Iang: " No edit to a policy-in-effect is trivial. Audit requires change management to be in place (and by that, it includes governance over & above SVN /wiki). "
Without appointment, nobody has the authority to make changes under p20100306. Mario asks if Iang has rejected the position. Iang states that he does now, and advises the role to be left open.
Some discussion on how the changes are done. The changes has to be done with eye to other policies, holistically, and then pushed through as a patch through critical teams. Patches are hard. The DRAFTs and copies in SVN can be easily edited, and we rely on scrutiny for that. This is an acknowledged bug or feature in the change control.
Dan proposes that all the Board be appointed. Mark points to conflict as Board has veto under PoP, and PO has other roles under PoP as well.
Chair summarises: board cannot act as editor. A single board member might, but that would be a double role (so not acting as board member).
What happens without a PO? The changes necessary will need to be voted on by policy group in the normal way. Mario: " So just wait until policy group gets sick about a missing policy officer and comes up with a good proposal. " Lambert, Iang agree.
2.7 - Nominate Walter Gueldenberg
23:57: Chair notes that this item is complete, motion is carried as m20100321.1
2.8 - DRC criteria
23:59 Chair moves on.
Ernie: " Could we ask Mozilla for a preliminary ruling [on DRC] or not? do we know if it is still accepted? It is also some time ago that it was informally accepted. " "but may have expired" (iang)
"We reserve the right to accept other criteria in the future."
"However the CA may request a preliminary determination from us regarding the acceptability of the criteria "
discussion: Mark proposes that we " get "our DRC" criteria accepted. " Mark points out that we need to do the audit process -- policies, implementation, measure against criteria, deal with any exemptions with compensating controls -- before asking for a preliminary determination.
Daniel disagrees - we're asking approval for the criteria not an audit.
There is some concern about modifying the criteria, with or without DR, and then approaching Mozilla for a preliminary determination. No consensus that this is a good idea. Topic closed.
2.9 - Certificate Issuing for CAcert.org
00:17 Chair opens topic. Mario: " I think our O-Admin list for CAcert Inc. just needs some regular rework done since there are quite inactive people in the list. Taken the input so far I would propose to move changes reflecting points 3-5. "
Iang: asks " who is it that can issue a certificate for secure.cacert.org ? " Or, other domains. Mario: we cannot distinguish between the domains. Iang asks why this isn't a critical task. Mark concurs, even if secure.cacert.org was excluded, as there are too many sensitive alternatives. Iang: are we issuing certificates that can be used to MITM our own people? If so, this sounds like a critical task. Mario: cacert.org and similar domains are covered.
(Discussion). mario: An Organisation Assurer can also manipulate the list of O-Admins. " I could add myself or anyone else to the cacert O-Admins. " Discussion on possible controls. We need dual control over the certs, Orgs would like that too.
Mario: Does this mean that, in addition to the requirements from OAP we additionally want the people be ABC'd for the O-Admin? Iang: "first, we conclude that the issue of any certificates that can be utilised in a fashion to attack us ... must be a critical responsibility under SP. The ABC comes as a consequence." Mario: So for now, we should choose O-Admins that have ABC already? (Daniel leaves at this point.)
Is this a new section in SP? Transfer to Policy Group? Critical Teams? Root team? Not understood at this point. Iang comments: "although I will say: mario, thanks for bringing this up. This represents a surprise to me, and I should have seen it before. " Chair asks Mario " to summarize, and send question to policy group, critical sysadmins, root team? "
Mario moves, "to remove Evaldo, Gullaume, Philipp G and Bernhard from the O-Admin list and add Michael (who is ABCd as support team leader) as O-Admin for CAcert Inc. More discussions about implementation into systems and policies need to be done. " Lambert seconds, unanimous. Carried as m20100404.3.
Lambert asks about a list of already issued certs. Mario says that O-Admin can supply (or file a dispute, but not necessary in this case because Board is owner).
Mario asks, "OK, are there any objections if I propagate the changes as OA with the system? " . Iang asks whether it is possible for a non-related OA to set the O-Admin? Mario confirms. Iang says "no objection…" and Mario does it. But, this means any OA can do this.
Chair rules that the topic is closed and we move to next business item.
2.10 - Why was root list moved to policy?
00:20 Chair introduced next subject.
Iang states, questions, comments and some response in the Agenda. Daniel is no longer present. Mark confirms " I didn't suggest the list be removed, or even hint at it. My point was in relation to a specific piece of proposed policy that was trying to be rammed thru as urgent. " .
Mario asks "But is this a board item? List management has been decided to be community driven…" Iang agrees it is not, just venting of frustration. What can the board do? Wait for a clear proposal, with recommendations. Policy? Iang says SP has already said its part, and in absence of a new issue, little to say.
Concerns stated: CC lines too long, moving to Policy will slow things down, some cannot follow policy, moving discussion from one forum to another does not help.
Consensus that nothing can be done now, leave to list.
2.11 - Security Policy
00:54 Chair introduces and asks if there is anything to discuss? Consensus is to refer this to policy group.
Mario: all to comment on policy group, from Board point of view? Iang prefers Community view. Mark: Board can come to an opinion, but views presented on policy list are community views. Mario: board point of view needs to be expressed to avoid situation such as recent veto. Iang reverses, agrees, and states that this is what he was asking for.
3 - Question Time
01:00 No questions heard. Chair confirms meeting at Sunday April 18, 21.00 UTC.
Mark asks whether the original point of having Saturday meetings still exists? Nick has not been present. Europeans point out that it is 03:00 in the morning, in EST already, and this is more difficult for a Sunday evening than for a Saturday. Lambert suggests the topic go on the agenda for next meeting.
Mark points out the agenda was very long today. Mario agrees.
Chair closes the meeting at 01:07.
(Minutes posted 05:37)
prepare Oophaga final letter
Oophaga instigate informal contact
Lambert and Mario
propose to the Members list an opening statement on the implementation of Rule 23(B)
log in GMT+10(?) [08:00:53] <Q> Ok, let open the meeting [08:01:39] <Q> Who volunteers to make minutes? [08:02:54] <Q> Seems no volunteers [08:03:07] <Q> Shall I make a schedule? [08:03:16] <Q> Or just assign someone? [08:03:54] <dan> lets just put the log up instead. if people get time they can do it. discussion on assignement/schedue can take part offline. [08:04:02] <Q> So far Dan has made minutes, Mark has made minutes, Mario has made minutes. Ian, Ernie: who of you is volunteering? [08:04:04] <dan> orignally we did decide to rotate it i think. [08:04:22] <law> yes. rotating shoudl be fair. [08:05:17] <Q> Ian, would you please do the minutes? Ernie, will you do the next? [08:05:22] <iang> ok [08:06:33] <Q> Ok, action items. Most of them have updates, don't want to go through them. Anyone has an action item he/she wants to provide some more info on? [08:06:49] <markl> I notice approval of the previous meeting's minutes has dropped off the agenda... that needs to be on each agenda. [08:07:02] <dan> it can be done outside the board meeting [08:07:11] <dan> well i though so anyway [08:07:54] <markl> it should be on each agenda, so we can resolve any problems in the minutes [08:07:54] <Q> I apologize. It can be done outside meeting as Dan mentiones, but I'd like to have it during the meeting so that it can be entered in the next minutes [08:08:12] <markl> we have a practice established of doing so, in any event [08:08:27] <Q> So, first point of the agenda: approval of minutes [08:09:09] <law> I would appreciate if we take some stuff out of the agenda which can be done. Maybe vote outside the meeting and mention on the beginning the outcome of the vote to have it in the logs/minutes? [08:09:09] <dan> ok - but for next time since the minutes have been prepared ages in event of a meeting can we discuss corrections on list or correct them ourselves [08:09:21] <markl> I have a problem with the minutes as they stand, I don't believe that part of it accurately reflects the meeting. [08:09:23] <Q> I've noticed some comments regarding the minutes. Do we need to discuss here or later on? [08:09:38] <Q> Ok, mark, can you explain? [08:09:40] <law> Looking at our todays agenda it looks quite huge. So handling simple voting tasks outside would reduce the length of the meetings. [08:10:39] <markl> business item 4 on the minutes [08:10:48] <markl> What about this post? added by Ulrich [08:10:49] <markl> generally unacceptable to nominate other people for roles - they can do it themselves [08:10:49] <markl> we also try to find more people for this role [08:10:49] <markl> we'll consider appointing more that one person [08:10:49] <markl> we will give the role to anyone with the right skills [08:11:24] <markl> I don't think the comments accurately reflect what was discussed at the meeting. The minutes give the appearance that these points were points of agreement amongst the board, rather than comments by individual members [08:12:08] <dan> i was trying to summarise - poor wording perhaps but feel free to correct [08:12:45] <dan> extend vote https://community.cacert.org/board/motions.php?motion=m20100322.2 and we'll look at your corections [08:12:57] <markl> I'd say removing the lines that appear after "What about this post? added by Ulrich [08:12:57] <markl> ", and replacing it with "No conclusion reached, deferred." [08:13:01] <Q> Ok, I move the members that feel it needs to be changed send proposals, and we have a vote later on next week [08:13:27] <markl> I think it's practice that we resolve meeting minutes before the business of the next meeting? [08:14:14] <Q> Ok, who's in favor of having it solved now? [08:14:19] <dan> naye [08:14:41] <markl> the synopsis further down already has basically the same thing.. it says "Policy Officer - not decided - few informal thought described [08:14:42] <markl> " [08:15:14] <iang> I abstain. I've made my complaint and don't want to add more. I'd like the minutes to record that I've made that complaint. However I understand that it came in too late to be properly responded too. [08:16:06] <markl> dan: are you disagreeing because you disagree with the change, or disagreeing on principle? [08:16:13] <dan> i wrote the minutes as best i could in the time. i have no objection to editing based on what was said. it was towards the end of what took hours to unravel [08:16:26] <law> I am happy to have the minutes adjusted to marks comments and to vote for it later. But discussing text changes in an irc meeting seems not appropriate to me. [08:16:43] <dan> i'm happy with the change - just don't want wordsmitting to occur in meetings [08:16:52] <markl> We've had approval of the previous meeting's minutes on the agenda for every single meeting every one of us has been to, except this one... [08:16:58] <Q> I move we remove the lines as Mark pproposes and accept the minutes [08:17:07] <markl> seconded [08:17:11] <Q> aye [08:17:12] <dan> fine aye [08:17:14] <markl> aye [08:17:15] <law> aye [08:17:17] <iang> abstain [08:17:17] <ernie> aye [08:17:21] <Q> Ok [08:17:26] <Q> Next item [08:18:04] <Q> Getting back to action items. Don't want to go through all items, but are there specific actions that need to be discussed? [08:18:06] <Q> Ian? [08:18:13] <Q> Dan? [08:18:15] <Q> Ernie? [08:18:19] <Q> Law? [08:18:23] <Q> Makr? [08:18:34] <iang> nothing from me. [08:18:41] <law> no. [08:18:45] <dan> the reason we took it out was because of this. if we had something we had the change to put it on the agenda [08:19:00] <markl> I've adjusted the minutes accordingly [08:19:24] <Q> Ok, no further discussion on actions. [08:19:34] <Q> Next item: Oophaga letter. [08:19:39] <Q> Daniel, you have the floor [08:20:00] <dan> law: have you done any infromal discussions? [08:20:22] <law> No. Did not find the time to do so. :/ [08:20:30] <dan> Q: given we're waiting on your review and i suspect you haven't had time can we just get it out? [08:21:27] <Q> dan: I'm aware you're waiting for me. Have been very busy, but want to be sure I understand the letter I'm sending [08:21:40] <dan> i propose I write up a final - put it to board-private list for a few days for comments. [08:21:50] <dan> i'll happly put my name to it [08:22:06] <markl> I thought we reached consensus to start this informally first, too? [08:22:07] <Q> That's not the point [08:22:42] <Q> When it's sent by CAcert it will be in my name, even if someone else sends it [08:23:04] <markl> Q: that's not really an issue, it can be sent by anyone authorized by the board, in the name of the board [08:23:06] <Q> I'll be able to read and provide feedback by Wednesday [08:23:21] <markl> but I think we agreed to start informal discussions first anyway? [08:23:26] <Q> would that be ok? [08:23:36] <dan> as long as you do - y es [08:23:37] <Q> Yes, was going to give them a call [08:23:51] <Q> and attend the NLUGG, and meet Oophaga there [08:23:55] <law> actually we had both which somehow does not make much sense this they effect each other. [08:24:29] <Q> Law: let's discuss later and provide feedback to rest? [08:24:47] <law> ok. [08:25:05] <markl> the previous letter we sent has been published to the community, right? [08:25:11] <markl> along with Oophaga's letter [08:25:30] <law> I cannot remember having seen it on public lists. [08:25:37] <dan> thats the second point - its not in svn either [08:25:38] <Q> Ok, law and I will discuss, provide feedback to you, make informal contact. I will provide feedback to board regarding letter, and will publish our letter [08:25:52] <Q> That ok? [08:26:26] <markl> I don't think we ever agreed to make it private, so someone just forward it to the board list? [08:26:33] <markl> the letter that has already been sent [08:26:36] <Q> C [08:26:39] <Q> Can do [08:26:41] <Q> sure [08:26:50] <Q> (was not private) [08:27:08] <Q> For the rest, is my summary ok? [08:27:43] <Q> I guess [08:27:47] <dan> yes - though your reliablity for adhering to the summarys/deadline you set in meeting is poor [08:27:55] <Q> Next: rule 23B [08:28:24] <Q> Ian, your item [08:28:30] <Q> You have the floor [08:28:49] <iang> rule 23(B) requires the Board to conduct business in the open [08:29:09] <iang> but at our election we may close business and notify the community of our reasons [08:29:22] <iang> this is somewhat at odds with the private list [08:29:41] <iang> in some sense, we can't have a private chat list under 23(B) [08:29:46] <markl> I'd also like to add some background as the author of the actual rule change... [08:30:04] <iang> and we can't routinely discuss stuff privately, easily .. without at least nodding to 23(B) [08:30:10] <iang> floor to mark [08:30:23] <markl> the rule, as I drafted it, refers to "all business transacted" for a specific reason, so as to exclude input and discussion as being necessarily made public [08:30:38] <markl> the business we transact is actual decisions, consensuses, actions, etc [08:30:53] <markl> not discussions [08:31:13] <markl> and certainly not input from others outside the board by default [08:31:49] <markl> so, for instance, many of the threads on the private list are started by non-board members... someone forwards something to bring to our attention, and decides on their own it's suitable for the private list [08:32:03] <iang> i would see business differently. I would see business as those discussions and decisions following on from the Agenda [08:32:16] <iang> this is for example a business item, whether we come up with a decision or not [08:32:43] <iang> i think narrowing the scope of "business" to only final motions is a bit tough ... and not what the community thought it was voting for [08:32:45] <markl> yes, the conduct of a matter that is on the agenda is an extension of transacted business [08:32:49] <iang> s/community/association/ [08:33:36] <markl> the alternative reading is a difficult leap, and not at all what I intended in drafting it [08:33:52] <Q> As I remember it, the private list was set up for: things that could not yet be discussed for strategic reasons? [08:33:57] <markl> for instance, that would require publishing private chat transcripts between two board members discussing an upcoming agenda item [08:34:19] <iang> also, i would remind the board of the events of summer 2009 ... in that period, the board purported to take all discussions private. this caused the community to be most disquieted [08:34:27] <iang> and was one of the factors that led to the SGM [08:35:33] <iang> indeed, there are some difficult lines to draw -- are private conversations to be escrowed? [08:35:41] <markl> we can't, for instance, forward the emails of third parties to the public list, because they have a reasonable expectation that they are sending it to just the board [08:36:04] <iang> if we were to treat ourselves as finance operations, then the answer would be yes [08:36:06] <markl> but them posting a mail to the board-private list is also not the board "transacting business" [08:36:26] <Q> mark: correct [08:36:41] <law> I think we should use the private list with some more attention on whether the mail is being sent needs to be private - if not, sent it to the board list. But we also should never disclose items that have been sent to a board or a member in private. [08:36:48] <iang> well, it depends on whether there is a reasonable expectation of privacy. this is not a carte blanche [08:37:09] <iang> if the content of the mail is clearly business, then members can be expected to treat it as is [08:37:11] <ernie> markl, agree [08:37:31] <iang> if the content of the mail is clearly private, e.g., but not limited to including PII, then an expectation may be established [08:37:38] <dan> proposed option: mark emails cacert-members with this propsal and see if there's objection too this. stating a board position of this rule inteperation is probably a good thing. i tend to agree with you inteperation [08:37:44] <iang> but, sending of a mail establishes no contracted expectation of privacy [08:38:01] <markl> iang: well, they send to a list that is not archived, that has the word "private" in it.. i think that should be a compelling indicator of a presumption of privacy [08:38:26] <markl> there are situations where other things outweigh that presumption of privacy though, and perhaps this rule is one, but I don't think it is [08:38:35] <markl> because a non-board member has no obligations under rule 23 [08:38:41] <iang> it is an indicator, yes [08:38:42] <law> also who sent mail is a private information. [08:38:43] <markl> *23B [08:39:29] <Q> all: I think if we feel that an email sent to the private list is not private we need to respond and explain that the email will be treated as not sent to this list [08:39:51] <iang> this is where it gets tricky. if one person expects more privacy than the other, errors occur; if the receiver always grants privacy when none is required, work clogs up [08:40:09] <Q> But as law says, we cannot forward it ourselves [08:40:14] <markl> to require us to disclose everything communicated in the context of being on the board is a step too far... because if you take that reading, you should scan and publicly disclose every written note you make, every private conversation you have if it's in the context of your board position [08:40:44] <markl> my rule change was designed to require the publishing of communications surrounding board decisions [08:40:55] <iang> exactly ... and to require that we treat every mail sent as private requires us to engage in a long protocol to get permission to do work [08:41:06] <iang> so when mails turn up, we'll simply ignore them. It's too much trouble [08:41:27] <markl> my opinion is that once an item is on the agenda, or a motion created, or an action taken as the board, then it's public from there on out [08:41:33] <iang> markl: are you saying that if the discussion leads to a decision, then the preceeding discussion should be published? [08:41:52] <markl> I agree somewhat with Ian on the issue of private mail, there's a presumption of privacy, but it's rebuttable by the circumstances [08:42:26] <Q> iang: No, that cannot happen by default [08:42:29] <iang> well, I do not subscribe to a presumption of privacy ... i'm too busy to grant that, and it has lead countless times to abuse [08:42:30] <markl> the presumption of privacy of emails sent by third parties to the private list is simply a courtesy extended by us.. nothing requires us to do so [08:42:31] <dan> markl: reading your explaination i think the rule does that quite well. like rules of law, this should be read literally - explaining that to the membership is probably a good idea [08:43:05] <iang> right, it is a courtesy, I do agree with that [08:43:29] <markl> dan: we've had too much of individual board members making statements that have the appearance of being from the board lately, I'd like for us to resolve it here and decide on a board level protocol for how we handle this [08:43:44] <iang> what about markl's suggestion that once it is on the agenda, it goes public? [08:43:56] <markl> but being only a courtesy, if there's a compelling reason for publishing it, I don't see any impediment to doing so [08:44:24] <dan> markl: agree. [08:44:36] <markl> iang: that was my original intent in drafting it... not to archive chatter, but to document, in full, the circumstances surrounding any business transacted by the board [08:44:59] <iang> ok [08:45:21] <markl> the board-private list should provide a somewhate free flowing place for exchanges between board members, but if it relates to business, it should have a good reason for being on that list, and not publicly archived [08:45:34] <iang> then my question would be how we stop business being conducted in the chatter? [08:45:52] <Q> markl: agree [08:45:54] <iang> but perhaps there is no answer possible to this, I'm talking aloud [08:46:05] <iang> s/talking/thinking/ [08:46:38] <law> stopping that might result in these businesses be ignored then - which would be worse. [08:46:43] <markl> the issue I see is lets say there is a problem between two board members, i'd rather that it get sorted out on the -private list without fear of it being made "public by default" [08:46:47] <iang> point [08:47:33] <markl> iang: i think the only practical way to deliver that would be to consider anything on the -private list each time we pass a motion [08:47:52] <Q> Ok, so where do we go from here? [08:47:52] <markl> and publish it or decide to not do so under 23B(2) at the time of the motion [08:48:09] <iang> markl: that is the way I read 23(B) [08:48:15] <markl> what if we move a motion like this... [08:48:32] <iang> that is, everything written on the private list should be accompanied by a public disclosure of reasons [08:48:52] <Q> markl: do I understand it correctly if I summarize as: only board stuff, as part of pre-discussion. When it leads to a public decision, we need to agree what is published? [08:49:27] <dan> leads to "business transaction" [08:49:47] <iang> it doesn't sound very efficient to me [08:50:19] <iang> i thought what markl meant was that once it was agenda'd the discussion should move to the public, or be published. but i might be wrong [08:50:32] <iang> any procedure should be workable, efficient [08:50:40] <dan> lets wait for mark's motionproposal [08:50:44] <markl> yes, that is my position, iang [08:51:22] <iang> Chair; one way forward is to have Markl explain more fully how he interpreted the 23B rule to the members, and take it from there? [08:52:00] <markl> I'd be happy to do that, and we can prepare a resolution implementing rule 23B in consultation with members of the association. [08:52:00] <Q> markl: do you want to come up with a new proposal now, or write one and let us vote later? [08:53:16] <markl> Q: as I said above, happy to do as suggested and write an opinion for the membership to review, and then we can try and reach agreement on a resolution implmenting the rule formally [08:53:17] <Q> (proposal ==> interpretation) [08:53:33] <Q> Ok [08:53:33] <iang> right, can't be done now though [08:53:44] <markl> iang: right [08:53:53] <Q> Any other questions regarding this topic? [08:54:06] <Q> Then let's continue to next [08:54:30] <Q> Vacate position of org assurer. [08:54:36] <Q> Daniel, you have the floor [08:54:59] <dan> continuing from last meeting clarifing officers. - any real objection to this proposal? [08:55:12] <markl> what are we achieving here? [08:55:33] <dan> for this one - making sure that people in dedicated positions are actually doing some work [08:56:04] <markl> ok, so you're proposing to remove the current org assurance officer? [08:56:23] <iang> part of the problem is that it is very unclear who the current org assurance officer is [08:56:28] <dan> yep - notices were previously sent to sam/greg with no response /interest [08:56:32] <law> sam or greg [08:56:42] <law> i think greg for now. [08:56:44] <dan> i think it had to be one of the two - agree it wasn't fully clear [08:56:50] <dan> neither responded [08:57:12] <markl> so you recommend declaring the position vacant? [08:57:16] <dan> yep [08:57:19] <iang> another part of the problem is that other people find it harder to help when there is someone holding the title [08:57:20] <Q> law, dan: how long no response? [08:57:49] <markl> makes sense to me [08:57:53] <law> I had some issues regarding OA and have seen no input from any of them for this year. [08:57:57] <iang> so we reach deadlock pretty quickly, and it takes a long time to shake it [08:58:22] <dan> sent 2010-03-17 10:06 [08:58:28] <Q> ok, I move we declare the position vacant, since we've heared nothing for more that three months [08:58:46] <iang> Did OA team put a report into the Annual Report? I don't recall. [08:58:50] <dan> k - i'll put it up as a formal motion. [08:58:55] <iang> Seconded and Aye [08:58:58] <Q> aye [08:59:01] <dan> iang: i didn't think so either [08:59:03] <law> aye [08:59:03] <markl> aye [08:59:08] <ernie> aye [08:59:14] <Q> ok, declare it carried [08:59:38] <Q> Question: how will we communicate this? [08:59:39] <law> I think there is no really formed OA team. Also in some countries a lot is happening to bring it forward. [09:00:07] <dan> good to hear [09:00:31] <dan> next - 4.1 remove house officer position [09:00:47] <dan> email sent same day - no response - [09:00:57] <law> remove or vacate? [09:01:00] <dan> remove [09:01:06] <dan> and vacate [09:01:36] <markl> was there a response from the current holder of the position? [09:01:36] <dan> I couldn't think of a substantial amount of work to be done here [09:01:43] <dan> no response [09:01:55] <Q> I remember some discussions regfarding style of presentations. De we not need such a position? [09:01:55] <dan> (from Johan) [09:02:08] <iang> work was done, but the software team was unable to coordinate, so the work was wasted [09:02:22] <ernie> Q, I think we need somebody who is able to prepare templates etc [09:02:47] <dan> ernie there is a style guide currently which i like. [09:02:54] <Q> Iang: was that regarding "look and feel" of our softwa\re? [09:02:57] <law> I think the style work can be done from the community. We do not require a position here for now. But if someone with a good effort comes up from the community we can just readdthis. [09:03:07] <ernie> yes - but to prepare templates, which can people take and use [09:03:13] <iang> yes, Teus brought Johan in to re-do the look & feel of the software [09:03:33] <markl> next time you make a document in accordance with the style guide, save it as a template and let people know where to find it :) [09:03:45] <markl> voila... someone made templates :) [09:04:16] <law> document != templates. Templates contain some more scripting for dynamically adjusting stuff etc. [09:04:26] <Q> Ok, I'd like to split in two decisions, one to vacate, the second to remove [09:04:47] <markl> Q: if everyone is in agreeance about removing, then vacating it is an obvious consequence [09:05:10] <iang> i think the role "officer" is not needed here [09:05:32] <iang> if someone wants to help with a style, it's hard to see how a title will help them ... and it didn't help Johans [09:05:35] <Q> Problem is we might need this (templates and style is not something that can be done by a group, I've seen that go wrong too often, so we might want o keep the role) [09:05:54] <law> I think we do not require a House Style Editor / Coordinator /Team Leader - but i would say it is a nice to have. [09:06:06] <markl> templates can be done by anyone.. you don't need a title to use openoffice [09:06:12] <Q> Ok, I move we remove the House Style Officer role [09:06:18] <dan> aye [09:06:22] <ernie> aye [09:06:26] <iang> aye [09:06:30] <markl> seconded and aye [09:06:31] <Q> no one wants to second? ;-) [09:06:37] <Q> ok, aye [09:06:41] <Q> Carried [09:06:58] <law> markl: a template also means, that it is exact by one px in any document - this is nothing which can be done easily. [09:07:01] <Q> Next one: do we need the org. assurance officer? [09:07:21] <law> abstain [09:07:28] <law> yes. [09:07:29] <Q> Law, you mentioned some activity in some countries. Please comment? [09:07:35] <dan> its an open question from me - was just questioning all positions/roles [09:08:08] <iang> we need an org. assurance team [09:08:14] <law> I know in switzerland people are active to move OA forward. Germany also. Active in assuring organisations and also in bringing up some documentation. [09:08:16] <markl> It seems we do, but I think that even if we don't, we shouldn't be deciding without input from the wider community. At least the AO's input would seem mandatory here. [09:08:42] <ernie> I think we need people in each country they doing something [09:09:05] <markl> also, the OAO exists in policy, it can, in my opinion, only be removed by the policy group [09:09:06] <Q> IMHO we need more focus on org assurance, I guess someone coordinating that (with whatever title) would be ok [09:09:10] <ernie> OA you must have knowledge of the country [09:09:22] <law> Actually I have the feeling that OA requests which do not go directly do a person who has time just end in a big black hole - an OAO could have the job to care for such cases. [09:09:36] <law> e.g. countries where oa is not really available. [09:10:10] <Q> Ok, we can vote, but it seems no one really wants it gone? [09:10:12] <iang> yes, policy is pointing to the wider issue ... the Oorg assurance area has a number of shortfalls, and any officer would be responsible for those [09:10:37] <law> we need to vote since it is on the agenda... [09:10:42] <markl> OA requests should probably go thru support, seeing as we have existing infrastructure for directing enquiries.. that doesn't seem a good use of the OAO's time [09:10:49] <markl> we dont need to vote jsut because it's on the agenda [09:10:51] <iang> so just appointing is likely to not be the answer; we need the team and attention to the wider picture ... which is no small request [09:11:00] <markl> someone is free to move a motion, but we don't need one to satisfy the agenda [09:12:27] <dan> i'm happy to defer and ask OAs and AO what they think and determine interest there in fixing polices for policy group [09:12:31] <Q> Ok, summary seems to be (correct me if I'm wrong): cannot be removed, is part of policy, and we need this, is big task. (however, currently we have no one) [09:12:56] <law> yes. vacating for me is fine - removing not. [09:13:05] <ernie> Q, Policy must be done - and the sub-policies for the countries [09:13:21] <markl> Q: seems a fair summary [09:13:35] <dan> ok so noone has really expressed a desire to remove the position so lets keep it as that and move on [09:13:43] <Q> Ok, let's keep the role, and continue [09:14:02] <Q> Removal of titles: Ernie/dan, you can share the floor [09:14:50] <dan> it seems to me that officer implies they are setting the direction [09:15:08] <dan> this isn't really a common term in community organisations like ours. [09:15:32] <markl> there are two fatal flaws in this agenda item... we do not have the authority to rename most of them, because they are created by policy, and this is arguing about what colour to paint the bikeshed, wasting time spinning our wheels... see http://bikeshed.com/ after this to understand [09:16:05] <dan> while some positions have responsibility i think there's more social harm which the board is responsible for. [09:16:28] <Q> This is where I have to rely on people that are native speakers, might not understand the implication of the exact words [09:16:32] <markl> the place to bring this up is on the policy list, because renaming most of these positions would necessitate a change in policy, which we cannot do [09:16:37] <law> We could just decide to name the positions as we ever like and keep an alias for them who are required by policy [09:16:53] <law> and advice policy group to change policy to get rid of the names. [09:16:54] <ernie> and people don't see it as closed, sometimes officer gives not the right impression to people [09:17:00] <Q> law: that would be a waste I think [09:17:02] <dan> native isn't the only issue. each language interpretion is important [09:17:38] <ernie> I think teamleader makes clear - he is working with and within the team [09:17:43] <Q> dan: you say "officer" implies more that how I read it so far [09:17:48] <markl> on a point of order... if we cannot decide this here, it's not the right place to discuss it.. it would be much better to bring it to the attention of the policy group [09:18:17] <dan> Q: authority to direct and obey in a militarsic way [09:18:26] <Q> markl: I understand, just like to understand what the issue is, then we can send a clear question to for instance policy group] [09:18:39] <iang> where there has been a lot of policy work, and the teams are well formed, there are titles in the policies [09:18:51] <markl> dictionary definition... An officer is a person who has a responsible position in an organization, especially a government organization. [09:19:06] <iang> and where the policies feed up to audit, there is a sense of responsibility that can benefit from a serious title like Officer [09:19:33] <law> so would a team leader not be a serious title? [09:19:40] <iang> however, SP did not follow that path, preferring to use the term "team leader" perhaps signalling the more technical nature [09:19:41] <dan> we won't make it to an audit if position title put people off doing work [09:20:23] <markl> what's the basis for the conclusion that the word officer is putting people off doing work? [09:20:31] <iang> law: if the term team leader is in the SP, it's serious [09:21:10] <ernie> iang, since when have a title something to do with seriousness [09:21:43] <iang> ernie: if a policy sets a responsibility to a title, the person with that title can be held to it [09:22:06] <law> I think we should try to find a term which matches all positions.... so we do not end up having team leaders, officers, editors and Coordinators which to me seem to be quite the same. [09:22:10] <dan> markl: mainly I wouldn't join a community organisation to report to an officer [09:22:40] <ernie> iang, wishful thinking - the process must work - but this has nothing to do with a title [09:22:41] <markl> dan: and I'm not sure anyone is.. when did you last "report" to a CAcert officer? :) [09:23:06] <dan> thats partially the point i never have (under sysadmin anyway) [09:23:11] <iang> ernie: well, however it is done, someone is identified as making the call [09:23:46] <Q> Ok, my summary: current titles imply things (authority?) that might not be there, and some of us feel this is holding members back. However, we as board cannot change titles, must be done in policy group. Correct? [09:24:19] <iang> e.g., in the recent fracas between Arbitration and Support, it was quite clear that the Arbitrators felt that the Support Team Leader should act, and Support t/l felt that the Arbitrator should act [09:24:36] <iang> if those titles weren't there, we would not have been able to move forward and resolve the dispute [09:25:18] <iang> Q: no, not all titles are in policy; e.g., House Style Guide was not [09:25:22] <ernie> iang - if you have there at eamleader - you can do - where is the problem [09:25:26] <markl> there's some problems here... the basis of the discussion is without foundation... some of you have a "feeling" that it's stopping work, but without any evidence [09:25:37] <iang> (or, it was in a self-written document called policy but not under PoP) [09:25:47] <markl> i'd submit the titles don't mean much to anyone in terms of getting work done, and at least not nearly as much as the actual personality that occupies the position [09:26:02] <markl> but in any case, we cannot change their names here, this needs to move to the policy list [09:26:26] <iang> what we have tended to do is work with the teams and relabelled the titles as appropriate [09:26:45] <Q> Well, I prefer a clear job description over a specific titlle. [09:26:48] <iang> it used to be that we had "critical systems officer" but we gradually migrated it over to team leader [09:27:11] <iang> right ... the migration of the title was on the back of the SP [09:27:20] <Q> According to markl we cannot decide. I suggest we continue, and forward our concerns to the policy group for discussion? [09:28:05] <law> We could decide it partially here. But referring the hole discussion to the community for now seems fine for me. [09:28:40] <iang> perhaps a statement that we'll entertain any reasonable suggestion to change the titles ... when an appropriate team asks? [09:29:16] <Q> Anything else on this subject? [09:29:29] <markl> we've got issues with stepping on the policy groups' toes at the moment, i think we should transfer this discussion wholely over there [09:29:42] <Q> If not I'd like to move to the next item [09:29:44] <Q> Ok [09:29:57] <Q> Next item: policy officer/editor [09:29:59] <Q> Dan? [09:30:42] <dan> this appointment propsal was based on a few people interest in doing tivial editing - I was hoping to fill it at least temporatly so this could occur. since then i've seen no trivial edit proposals [09:31:25] <dan> filling it with someone responsible was the general idea. [09:31:53] <dan> not sure if filling it is going to enable people to contribute trivial edits which need to be done though [09:32:41] <dan> thoughts anyone/ [09:32:42] <dan> ? [09:32:47] <Q> There have been discussions on two tasks: [09:32:47] <Q> one was summarizing and writing the ideas of the policy group [09:32:47] <Q> other was trivial editing [09:32:47] <Q> Both of these were task of policy officer [09:32:53] <iang> no edit to a policy-in-effect is trivial. Audit requires change management to be in place (and by that, it includes governance over & above SVN /wiki) [09:33:40] <Q> iang: correct, but there have been "simple" changes (like typos) that needed to be changed, without full voting [09:33:45] <law> iang: from my point of view this is more a technical thing to implement notifications with svn. [09:34:04] <dan> p20100306 defined trivial editing in some ways [09:34:34] <iang> Q: that was the effect of the policy motion of last month, but all that did was clear the way for it to happen without a policy group motion. [09:34:39] <Q> But trivial editing is only part of the role [09:34:58] <dan> the issue is noone has the authority to implement these and perhaps without appointment noone will [09:35:34] <dan> even try to [09:35:51] <Q> Working with the policy group, trying to find the right words, so that everyone agrees is anotherI think Ian has done that for a while [09:36:33] <law> So Ian rejected for the PO position, right? [09:36:46] <iang> Yes, however I won't accept the role. At this stage my advice is to declare the role open. [09:36:57] <iang> law: I never rejected the role. that was assumed [09:37:03] <Q> We (as board) might be able to make small corrections, but not the intensive work that has been done so far [09:37:25] <dan> https://wiki.cacert.org/PolicyDecisions#p20100306 defines the scope [09:37:27] <iang> I reject the role now because in the last week it has become clear that policy advice is not easy [09:37:35] <law> I read so from your recent mail. But now you did. [09:37:46] <Q> That should be done by someone who has time and enough overview over current policies [09:38:34] <dan> doesn't need to be - most fixes can be done in isolation [09:38:48] <iang> Q: the board can't really make small corrections ... because there is a process by which the small corrections reach the website ... the whole thing has to be done holistically and quickly [09:39:17] <iang> it can really only be done in concert with the software assessors or the critical systems team [09:39:53] <Q> dan: policy officer does more than the trivial edits that were mentioned in p20100306 [09:40:11] <iang> one day, we might have a better system to do this. today we don't, it has to be done as a patch, literally [09:40:26] <Q> iang: not as board (with group discussions) but as persons who make edits according to procedure [09:40:27] <dan> there's a set of responsibilites under PoP too. this has been vacant so far so I'm not expecting work there [09:40:40] <Q> iang: these would be URL corrections and all [09:41:38] <Q> iang: not the rest of the policy officer work [09:41:54] <dan> can we appoint all board to be able to do policy edits. commmunity contributions then can be done. SVN changes can periodly be shown to the group before publishing them. [09:42:18] <markl> it seems a conflict to appoint "the board" as policy officer, because we also have a veto under PoP [09:42:21] <law> I do not want to edit any policy.... [09:42:46] <iang> I don't think that sounds very clear to an audit perspective. [09:42:47] <markl> we're already a separate "actor" in PoP.. [09:42:53] <dan> law: would you commit a trival change if someone showed it to you? [09:42:54] <law> ... and do not want to be able to - I have no clue about the whole process. [09:43:32] <law> First I had to judge whether it is a trivial change. If it is an obvious type - maybe. [09:43:34] <Q> markl: good point. It's also not in line with discussions regarding ABC for board: board is not involved in operational tasks, so has no access to critical data, so would not need ABC [09:44:12] <dan> vetos occur over serious matters not trivial edits can't see a conflict [09:44:34] <iang> Audit wants the change control on policies to be at least as strong as source code. Possibly stronger (not worth debating) [09:45:09] <markl> dan: policy officer decides matters in tight votes, "keeps order".. it's more than just fixing typos [09:45:26] <law> iang: what change control is actually in place? How is it enforced? [09:45:37] <iang> it's a patch to the critical system [09:45:58] <markl> also, disputes under PoP are arbitrated, which is subject to appeal to the board [09:46:03] <iang> so that means when a policy goes to the website, we have to get the patch through [09:46:13] <law> so anyone can edit policies in SVN as he likes? [09:46:15] <markl> another reason why the board shouldn't be appointing itself policy officer [09:46:28] <dan> law: not legally [09:46:35] <dan> well accoding to policy/appointment [09:46:40] <iang> correct, this is a weakness in the system in that anyone can edit the DRAFT policies. for this we rely on scrutiny [09:47:51] <law> since a draft policy is as good as a policy, I conclude there is no change management in place. [09:48:19] <dan> so at the moment we are stagnent with cleaning up policies and there's no move to fix it. [09:48:24] <iang> you can claim that ... Arbitrators and Auditors view these things with different eyes [09:48:38] <dan> if we can't get small fixes done how do we expect big improvmeents to happen [09:48:44] <markl> the presence or lack of change management doesn't really change the issue here does it? [09:49:46] <dan> i see it as a board resposibilty to remove barriers to contribution - lack of an appointment is one aspect. [09:49:46] <iang> markl: not really [09:50:30] <Q> My summary: board cannot act as editor. A single board member might, but that would be a double role (so not acting as board member). [09:50:49] <ernie> where are the different versions of the drafts? if we have them [09:51:04] <dan> right - board was chosen for conveince and communtiy respect nothgin more [09:51:42] <Q> Anyone has a suggestion for a way out, regarding trivial edits? [09:51:57] <iang> As I suggested, leave the position vacant. [09:52:15] <markl> in the interim, can't the typo fixes just be posted on the policy list and dealt with there? [09:52:16] <iang> policy group has gotten along fine without it so far. [09:52:23] <Q> iang: that would make it impossible to even change URL errors for now [09:52:31] <dan> markl: no one seem to be motivated to do this [09:52:52] <iang> markl: yes, what will happen is that at some stage someone will go through and fix the policies, and then take a review through as a proper decision [09:52:57] <markl> in the time spent arguing here, a patch could have been created, and a vote put to the policy list [09:53:13] <iang> the decision of a few weeks ago was simply an efficiency thing of minor note [09:53:48] <dan> fine - move on [09:53:52] <iang> the real work was hidden [09:54:03] <law> So just wait until policy group gets sick about a missing policy officer and comes up with a good proposalÃ [09:54:27] <Q> law: basically: yes [09:54:30] <iang> law: that sounds good to me [09:54:31] <Q> Let's continue [09:54:40] <markl> or, actively get out there and propose it if you feel strongly about it [09:54:56] <markl> we should be appointing people based upon need and recommendation of the people who are affected by the appointment [09:55:13] <Q> Nominate Walter Gueldenberg [09:55:24] <markl> which means the first place to discuss a proposal to appoint someone should be within that part of the community, to get their input [09:55:38] <dan> Q: done https://community.cacert.org/board/motions.php?motion=m20100327.1 [09:56:25] <Q> dan: thanks, was checking the motion [09:56:53] <dan> done as in completed - next [09:57:11] <Q> So next, DRC criteria [09:57:15] <Q> Ernie: you have the floor [09:57:32] <ernie> Could we ask Mozilla for a preliminary ruling or not? [09:57:53] <ernie> did we know it is still accepted? [09:58:22] <markl> I think Ian addresses that here: https://lists.cacert.org/wws/arc/cacert-root/2010-01/msg00012.html [09:59:06] <ernie> this is also some time ago that is was informally accepted [09:59:08] <dan> i'm suspecting since that time that have come up with more defined procedures that we can use [09:59:22] <markl> http://www.mozilla.org/projects/security/certs/policy/ [09:59:41] <markl> "We reserve the right to accept other criteria in the future." is what we're hanging our hat on in that policy, I presume [10:00:19] <dan> "However the CA may request a preliminary determination from us regarding the acceptability of the criteria " [10:00:57] <dan> so get "our DRC" criteria accepted [10:01:42] <markl> Ian will surely correct me if I'm wrong, but I imagine that determination isn't likely to come from just asking "hey, can we store the root key passphrase?"... we need to create the policies, and claim an exception to any DRC we cannot meet, and document our compensating controls, and then ask Moz for a "preliminary determination" [10:01:43] <Q> iang: do you have anything regarding this question that was not in the email? Specifically: do you think it makes sense to go ask? [10:01:56] <Q> (sometimes asking gives other time to rethink) [10:02:24] <iang> the link posted above by mark seems to capture the flavour of the situation [10:02:46] <Q> iang: which of the two? ;-) [10:02:48] <iang> asking for a premliminary determination isn't likely to give you much [10:03:05] <iang> 1st, my post to -root [10:03:15] <Q> that's my experience as well (in other audits) [10:03:27] <dan> why isn't it going to give us much? [10:03:35] <iang> there was a preliminary determination in place .. but it might have expired [10:03:49] <iang> well, because they won't give you all you ask for [10:03:54] <Q> because in the end it's the moment of the audit that counts [10:03:59] <dan> their policy says they will [10:04:08] <Q> Wil only give info when you're terribly wrong [10:04:20] <iang> and they might impose conditions .. .like "one year" [10:05:04] <dan> at least it shows a preminary acceptance for a years work [10:05:19] <Q> dan: it's also my experience that an auditor only makes a firm statement at time of audit. Until then they like to keep vague] [10:05:26] <iang> or, they might say that as you have no clear prospect of needing this, we decline to respond [10:05:34] <markl> dan: what are you propsing to ask exactly? [10:05:53] <dan> Q: markl: proposal is we're askign about the critiera accepability [10:06:10] <dan> is drc acceptable to mozilla as a CA critiera [10:06:24] <dan> my thoughts as far as steps is 1. deterime drc critiera we can't meet 2. approach drc with alternatives. 3. if drc changed then we can go to mozilla otherwise we need to specify our alternatives [10:06:38] <markl> that's not how an audit usually works dan [10:06:57] <dan> mozilla policy says how an audit works. [10:07:20] <markl> usually you have a criteria, you attempt to comply with it, you document where you dont, you think up what compensating controls you have to explain away why you don't comply, then you appoint an auditor [10:07:22] <dan> drc is labeled as draft so i assume its still open for suggestions [10:07:35] <markl> dan: no it doesn't, says you have to have one, not how an audit works [10:08:36] <dan> audit describes how you meet a criteria - a prelimary step of getting a determination of the acceptability of a crtiera seems prudent [10:10:47] <iang> if the intention is to make some mods to the criteria first, then ask for a preliminary determination on a drc-bis .. well, "good luck on that!" [10:11:29] <Q> dan: I understand what you try to accomplish, but as I understand it the DRC criteria are accepted as a way t review/audit CAcert [10:11:37] <iang> just in case it wasn't clear, David Ross is part of the community, and his opinion on any changes is likely to be sought ... if it gets that far [10:12:18] <Q> so asking again will not get you anything [10:12:40] <Q> modifying the DRC criteria otoh will get you into trouble [10:12:56] <Q> because you're changing the rules halfway [10:13:02] <Q> that will raise some eyebrows [10:14:53] <Q> I don't think there is concensus now, but given the time I'd like to continue [10:15:04] <Q> any problems with that? [10:15:18] <markl> works for me [10:15:19] <ernie> no [10:15:23] <iang> please, let's continue [10:15:39] <Q> Ok, certificate issueing for CAcert [10:15:39] <dan> ok - some proposal can be drafted for review when ready [10:16:18] <Q> As I understand it, it's a "eat your own dogfood" exercise by having CAcert org assured? [10:16:28] <Q> Law:? [10:17:07] <law> I think our O-Admin list for CAcert Inc. just needs some regular rework done since there are quite inactive people in the list. [10:17:55] <iang> i have a concern / question: who is it that can issue a certificate for secure.cacert.org ? (if that's not part of this point, let me know) [10:17:56] <law> Taken the input so far I would propose to move changes reflecting points 3-5 [10:18:43] <markl> iang: or *.cacert.org, or www.cacert.org [10:18:46] <law> These are the O-Admins we are currently talking about. We cannot distinguish between wiki and secure [10:19:06] <iang> then, isn't this a critical task? [10:19:23] <markl> I would think it's certainly a critical task, even if secure.cacert.org was specifically excluded [10:19:57] <markl> there's too many sensitive names that could be issued as certs [10:20:08] <law> so to the requirements from OAP we additionally want the people be ABCd? [10:20:24] <markl> also, for the same reason, we need some way to implement dual control [10:20:30] <iang> that might be a conclusion, but I'm not sure yet [10:20:45] <law> the system does not support dual control. [10:20:56] <iang> what I'm trying to be clear here is, are we really talking about issuing certificates that can be used to MITM our own people? [10:21:28] <ernie> iang, MITM means what? [10:21:37] <iang> man-in-the-middle [10:21:44] <ernie> iang, thanks [10:21:47] <iang> which is what a certificate is designed to protect from [10:21:51] <law> we are talking about certificates that are issued for the domains cacert.org, cacert.net and cacert.com (iirc) and with the organisation name CAcert Inc. [10:22:46] <Q> law: are these critical systems, or Infrastructure, or ...? [10:22:49] <law> we could limit it for some O-Admins the OUT. [10:23:00] <iang> ok, so this sounds like a critical task because these certificates are usable for various things [10:23:40] <law> It has nothing to do with the systems. They are just certs. Where are they used depends on the sysadmins. [10:23:51] <iang> there's not much point in being a CA, and protecting our certificates for joe.blog.org ... if we don't protect the certificates for our own domains to the same extent [10:24:07] <law> But since the critical team is in control of DNS we might consider ignoring this here. [10:25:01] <markl> law: dns control isn't the only issue, the ability to potentially intercept network traffic outside of the system and perform a man in the middle attack is the bigger risk [10:25:33] <markl> if I can sign a cert for secure.cacert.org and then intercept your network connections to secure.cacert.org, I can present a valid certificate that you won't know is forged [10:26:40] <law> So regarding this we would also haveto consider that a organisation assurer can manipulate the list. [10:26:59] <Q> Just checked: www.cacert.org has CAcert Inc. as O, so it includes all of our systems? [10:27:00] <law> I could add myself or anyone else to the cacert O-Admins. [10:27:22] <Q> hmm [10:27:26] <law> we have seperate certs for nearly all systems. [10:28:15] <law> saying this, we could not trust CAcert for issuing certs for CAcert Inc. [10:28:55] <Q> law: I'd say we might not have the right procedures [10:29:17] <Q> law: and who or what is "CAcert" in your statement? [10:29:35] <law> CAcert is in this case the CA we are operating [10:30:20] <iang> well, within the CA, we have dual roles and other governance techniques to provide some reasonable controls [10:30:25] <Q> CAcert can be trusted. It's the O-Admins that can request certs from CAcert that is the issue [10:30:43] <iang> so it may be that the support team holds the O-Admin role and hands the certs across to critical team (or v.v.) [10:31:20] <law> And we really need to ignore the flaws regarding the organisation assurer for now [10:31:23] <iang> or it may be that one person in the critical team is designated O-Admin, whereas another is the one that utilises the certs [10:31:43] <Q> It's like company X that requests a new cert for www.X.com: if requested we can trust CAcert to issue the right cert. The question is: can you "trust" the O-Admin of "X"? [10:31:45] <iang> law: yes .. we need to establish the principle, and later on worry about the implementation [10:31:56] <markl> although I know it's not currently possible, I think we really need dual control of the issue of certificates themselves [10:32:02] <law> Critical team does not want to be involved with cert issuing for now. So we have support as an option. [10:32:06] <markl> because any other form of dual control doesn't address MITM issues [10:32:22] <iang> also, Access Engineeers [10:32:40] <iang> and the Software Assessment team (Markus + Philipp) [10:33:14] <iang> markl: are you thinking about a patch to the system to add dual control to the O-Admin interface? [10:33:24] <law> So from the discussion I conclude we should require the O-Admin for the CAcert Inc. ABCd [10:33:53] <markl> iang: well yes, that would be a necessary part of it [10:34:03] <Q> law: yes, I think so. But ABC is not enough [10:34:05] <law> Any system patches are far away from being implemented. [10:34:10] <Q> Should be dual control [10:34:12] <iang> law: i wouldn;t put it that way ... i'd say that first, we conclude that the issue of any certificates that can be utilised in a fashion to attack us ... must be a critical responsibility under SP [10:34:27] <iang> the ABC comes as a consequence [10:34:49] <Q> iang: even better described [10:35:01] <markl> dual control signing is probably a quite desirable feature for other orgs too [10:35:05] <iang> so then we have to develop some method within SP to handle this new task ... which teams, which persons, which controls [10:35:13] <law> So for now this means we choose people for the O-Admin role which have an ABC. [10:35:22] dan leaves for prearranged family event. appoligies for lack of full attendance (first time) [10:35:32] <iang> markl: nod, I don't disagree, would be nice [10:35:32] <markl> iang: perhaps that's the answer, draft a new section into the SP? [10:35:51] <markl> dan: cya [10:35:54] <Q> dan: thanks! [10:35:57] <law> dan: cu [10:36:14] <ernie> dan, bye [10:36:21] <iang> markl: possibly. I'm not seeing it so clearly as that as yet [10:36:48] <law> So Iang/Markl: refer this point to policy group? [10:37:06] <Q> law: Think so yes [10:37:13] <iang> um ... i would refer it to the critical teams for comment ... perhaps as well as policy group [10:37:37] <iang> root team also, but ... oh, that's next agenda item .. oh well [10:38:02] <markl> agree with ian [10:38:20] <iang> although I will say: mario, thanks for bringing this up. This represents a surprise to me [10:38:27] <iang> and I should have seen it before :) [10:38:50] <Q> law: can you summarize, and send question to policy group, critical sysadmins, root team? [10:38:52] <markl> yeah, it's definitely food for thought [10:39:48] <law> If there does not need to be more discussions on this, I'd like to move to remove Evaldo, Gullaume, Philipp G and Bernhard from the O-Admin list and add Michael (who is ABCd as support team leader) as O-Admin for CAcert Inc. More discussions about implementation into systems and policies need to be done. [10:39:59] <Q> law: would it be possible to request a list of issued certs, so that we can verify this has not yet been am isused? [10:40:21] <Q> second [10:40:49] <iang> Aye [10:40:53] <Q> aye [10:40:54] <law> Q: Ask an O-Admin for the list or file a dispute to have a system query woudl be the options here. [10:40:55] <law> aye [10:41:02] <markl> aye [10:41:05] <ernie> aye [10:41:25] <iang> law: we are the owner of those certs, we skip the dispute this time ;-) [10:42:19] <law> OK, are there any objections if I propagate the changes as OA with the system? [10:42:24] <Q> law, I agree with Ian, it's ours, and we only need to know *if* other certs have been requested, not the certs themselves [10:42:33] <iang> law: you are the OA? aha! [10:42:40] <law> I am an OA. [10:42:50] <law> I did not assure CAcert Inc. [10:42:57] <iang> oh, are you saying that any OA can set the O-Admin? [10:43:11] <law> yes. [10:43:25] <iang> understood. Then I have no objection if you make the changes so [10:43:26] <Q> Interesting... [10:43:42] <iang> Q: my thoughts exactly ... [10:43:48] <Q> :-) [10:44:27] <iang> so that means ... any OA can add any O-Admin .. to any O ... including CAcert.org ... which means [10:44:29] <law> At least I have the buttons... trying just now to delete the old - before adding i will consult Michael, but I had discussed it with him before. [10:44:30] <iang> oh my :-( [10:44:45] <law> That have been my points above... [10:44:45] <Q> iang: I was about to ask the same question [10:45:01] <iang> law: yes, of course, implementation... [10:45:34] <iang> meanwhile, luckily the Arbitrators aren't aware of the flood of ABCs of all OAs to turn up ;-) [10:45:36] <law> I am not sure whether it is hidden in the system, but I cannot see who has added the organiastion. [10:45:43] <Q> Ok, let's move to next item [10:45:45] <law> deleting the org admins was successful. [10:46:08] <Q> Why was root list moved to policy? [10:46:15] <Q> Iang: [10:46:59] <iang> well, my questions & comments are in the agenda [10:47:06] <iang> daniel has responded to some extent [10:47:09] <markl> I'm unsure why my email is referenced on this item, but suffice to say I didn't suggest the list be removed, or even hint at it. My point was in relation to a specific piece of proposed policy that was trying to be rammed thru as urgent. [10:47:11] <law> Dan is no longer ehre... [10:48:08] <law> But is this a board item? List management has been decided to be community driven... [10:48:08] <iang> but I am not happy with it. Not a lot I can do about it ... if Dan wants to slow it down then that's what happens [10:48:32] <markl> tho I think I might have been responsible for trimming the crazy long cc list at some point, perhaps down to just the policy list, because the discussion had turned more to meta policy discussion at that stage than technical root discussion [10:48:35] <iang> I agree ... it was just more vented frustration on my part [10:48:35] <law> I agree, I cannot follow Policy atm - but roots would have been possible... [10:48:58] <law> So is there anything we as board want to do here? [10:49:17] <iang> this progression of bouncing the root project from one forum to another out of frustruation that someone doesn't wave a magic wand .... [10:50:03] <iang> no. actually we as a board should do nothing. there is no proposal on the table, and until there is a clear proposal *with recommendations* ... I think it goes back to the community [10:50:36] <Q> What if we ask the policy group to vote on it? for instance: have technical discussions on separate root list, then summarize when it touches policies? [10:50:38] <iang> (in my humble opinion) [10:50:45] <iang> Q: vote on what? [10:50:49] <markl> on the list front, no one seems happy with the removal of the cacert-root list... perhaps Dan will just back out removing the list in light of this? [10:51:02] <Q> vote on changing back, or keeping as is? [10:51:06] <iang> oh i see. well, that would come out in the positive, I guess [10:51:24] <markl> he's not here to answer that, so maybe just leave it for the moment, and resolve it on the list? we decided that lists were not our domain [10:51:33] <iang> the thing is, policy group as a group aren't sure what's going on ... [10:51:41] <Q> markl: agree. [10:51:49] <Q> do we all agree? [10:51:51] <iang> in principle, SP has already said its part ... policy group don't have anything to say ... like board [10:51:58] <law> agreed. [10:52:01] <ernie> Q, agree [10:52:05] <Q> Then we can continue [10:52:11] <iang> agreed [10:52:21] <Q> Security Policy [10:52:23] <markl> 11 seems like a non-starter.. more policy group stuff [10:52:32] <Q> This was brought to us by Dan [10:52:57] <Q> He suggests we discuss this on policy list [10:53:12] <Q> not much else we can do, is there? [10:53:38] <Q> Anyone? [10:54:00] <iang> so, this is dealt with? [10:54:06] <iang> which is to say, not deferred. [10:54:29] <iang> that is; referred to policy list? just so I understand for minutes. [10:54:45] <Q> I *think* so [10:54:52] <law> Dan and Ernie to add their comments to policy group and us all to look over it and comment on it from board pov? [10:55:33] <law> But since policies are not a board taks, we cannot do much here, right? [10:55:33] <ernie> law, no problem regarding 9.3.2 [10:55:42] <iang> law: I would prefer from Community pov, but ok [10:56:10] <law> community pov is already present on the lists. [10:56:28] <iang> in the sense of ... wearing multiple hats [10:56:50] <markl> we can discuss coming to a board opinion on matters of policy, but only as part of the community, and part of the wider discussion of a policy [10:57:07] <Q> markl: correct, agree [10:57:09] <law> From board pov because to avoid to get into another situation like the board abc which forced us to veto SP. [10:57:24] <iang> law: ah indeed [10:57:31] <markl> so, for instance, we might discuss and resolve that the board supports option X of a change to policy Y, as a way of advancing the board's opinion as a body [10:57:47] <Q> we can provide our own opinion to policy group [10:58:07] <markl> Q: agreed, but there are times, like the board ABC, where it's not just our singular opinions that matter [10:58:16] <iang> yes, and indeed this is what I was asking for, so I stand corrected [10:58:58] <Q> ok. Anyting else to add here? [10:59:01] <Q> Then I'd like to go to question time [10:59:28] <Q> Any questions from the board members? [10:59:41] <law> in policy group we can only give our indivudials inputs. If in discussions or review other terms arises that effect board, we could discuss a formal statement to policy group in a meeting - but all we can do is give input. [11:00:26] <Q> Questions from GolfRomeo, magu, hugi? [11:02:06] <Q> Ok, then let's confirm next meeting: Sunday April 18, 21.00 UTC. Is that correct? [11:02:30] <markl> If we can discuss that briefly... Saturday meetings were instituted to assist Nick with attendence, it doesnt' appear to have had that effect [11:03:18] <markl> that being the case, was there anyone else that Saturday meetings at 22:00 assisted, or can we just schedule Sunday 21:00 UTC meetings again? [11:03:36] <ernie> and it is 3 o'clock in the morning, on a sunday I could not do so long [11:03:51] <ernie> on monday I have to get up on 7 [11:03:58] <Q> Me too [11:04:15] <law> sunday 21 UTC should fit me better in general. as well as here as when i am back in germany. [11:04:37] <markl> well, if we didn't have so many things on the agenda today, most of which we decided were not suitable for discussion here, we could have been done much quicker :) [11:04:40] <Q> Next meeting is Sunday. Let's put it on the agenda, so that Nick can comment [11:04:46] <law> i think we can consider the meeting to take 2 hours normally - we had a huge agenda today [11:04:50] <hugi> law: where have you been, mario, tell us the truth;-) [11:05:04] <markl> Q: sounds good [11:05:09] <markl> just putting it out there [11:05:16] <law> I am currently in California, US: [11:05:40] <Q> ok, next meeting Sunday April 18, 21.oo UTC [11:05:45] <Q> The meeting is closed
Original meeting transcript in SVN TODO