Committee Meeting 2012-01-27
The meeting will take place at 20:00 UTC in the IRC channel #board-meeting on the CAcert IRC network.
Committee Members: feel free to add a business within the acceptance period or your question to the board below. Others: add a question to the questions section.
Minutes author prepares the minutes from the last meeting
Minutes author prepares the action items. All action owners to update.
Minutes author puts motion m20120122.3 to accept the minutes
Businesses Important Note: Acceptance of Businesses 48 Hours before beginning of Committee Meeting latest!
CAcert Vision Statement added by BenediktHeintel
Please visit VisionMission
Iang's Risk Analysis of root escrow added by Iang
- letter of engagement?
Business added by Your Name Comment: Replace "Business One" by Title of Business and add your Name
Additional Inputs Comment: Replace "Additional Inputs"by Description of Business, Description of Reason-Why/Purpose, Additional Comments, Additional Documents, Additional Links, if useful for other Committee Members to prepare for Committee Meeting.
- et cetera
Question Time Important Note: Questions from CAcert.org Community Members can be added until beginning of Committee Meeting! As well questions can be asked at "Question Time", without added Question here
Question One added by Your Name Comment: Replace "Question One" by Your Question and add your Name
- et cetera
- Confirm the next Committee Meeting
- Chair closes the Committee Meeting
Present: Dirk, Ian, Jeffery, Kevin, Michael, Piers, Raoul, Tomas, Werner.
Meeting chaired by Dirk
1.2 Last Meeting Minutes
Minutes from last meeting already accepted.
1.3 Minutes taker
Piers to take minutes.
1.4 cacert-board-private maillist
There is an ongoing discussion about privacy which will be dealt with in another board meeting to be convened at at separate time. Also discussion of a letter of engagement which resulted in agenda item 2.2 below.
1.5 Action Items
The Public Officer states that OFT have accepted the Annual Report, and the amendments to the Constitution which take effect from 9th January 2012. Rules of Association document to be updated to reflect date of AGM adopting changes, and effective date for OFT. Summary of changes to be posted by Kevin.
The advertising/logo-challenge has been delayed by the software-team.
Amazon have responded re the affiliates program. Marcus reports that it looks like we need to sign up for each country separately with separate accounts. Therefor he does not see that is the best affiliate program for our needs. We should look for a different program.
2.1 CAcert Vision Statement
Proposer not online to discuss this item, which was therefore postponed to the next meeting.
2.2 Iang's Risk Analysis of root escrow
- Previous board decided that the report was to be confidential until such time as they had seen it. However this was only the report, not the process. We can happily discuss the process in public. The sense of it was that there might be some risks identified that we didn't want an attacker to know about. Ian doesn't think there is anything so dramatic that has come to light. A risk analysis is generally rather high level, it isn't like a code review that finds zero-day exploits. It comes up with statements like "risk of theft of root is too high, buy this expensive toy to reduce the risk." Ian suggests that he is not that interested in posting WIPs around the place, as it is clumsy, not easily wikifiable. So it is easy enough to keep it closed until he gets something he wants to share with a wider audience. On the other hand, there is a clause in the (WIP) letter of engagement that asks for risk analyser (Ian) to notify client (board) of critical risks requiring immediate action.
There was discussion around the issue of whether the report should be made public. The general feeling was that Ian should be able to publish the report with the proviso that risks should be notified beforehand.
Motion: "that the result of the risk analysis over root escrow, conducted by Ian Grigg, is not considered private and may published as soon as it is ready. Should there be any critical security vulnerabilities that affect our current operations Board considers it Ian's responsibility under existing policies to notify Board beforehand and delay publication until the issues could be resolved" carried.
There was also a discussion of the Letter of Engagement that the risk analysis requires:
- Part of the process is to be 'engaged' for that job. To that end, a (WIP) letter has been sent to private list. In short, Board is being asked to agree to that letter, or any other similar one we can come up with together. For various reasons, the letter is intended to mirror a big risk analysis at a big paying corporate client. Hence it is long and wordy. I do not know if that is an issue for anyone, but we can simply replace that if there is any reason to be concerned. It was taken from the course template, it isn't necessarily interesting for CAcert.
Ian pointed out that there will be no expenses incured as a result of this process.
Motion: "that CAcert Inc issues a letter of engagement for the risk assesment carried out by Ian Grigg. Details will be discussed on the list." carried.
3.1 Private meeting to discuss privacy issue
The privacy issue has been discussed between Disk, Marcus, Benedict and Joachim, for which a summary will be posted to board-private by Dirk. This meeting will be continued at FOSDEM, after which further details will be posted to the board-private list, and a board meeting arranged.
Marcus announced that progress is being made with TTP, with a first test session for the US starting soon. Progress report to be posted to the board list next week.
4.1 Next meeting
As the meeting time is non-standard, the secretary will post the meeting date to the public mailling list.
m20120122.3: Accept minutes for 2012-01-13
m20120127.1: publication of risk analysis over root escrow
m20120127.2: letter of engagement for the risk assesment