• Iang

Iang

Formally, I am an Assurer, co-auditor and an Association member.

Doing

More task-oriented, my focus is on preparing CAcert for audit. These are on my A-List:

1. doing a risk analysis on the roots project.
   • Current status:
     1. code is done.
     2. data is in.
     3. report is evolving and being tidied up.
   • code is located on Fiddle (but on the dev site if you know where that is).
   • need to migrate the Fiddle service across to some other VM, awaiting developments from Sonance or infra team.

   • assisting New Roots Task Force, as an adjunct to the risk analysis.

My B-list is those things that don't directly effect the above priority, but I help when called upon:

• Board. As an appointed-not-voting member I try to limit my input according to these guidelines:
  1. watching that CAcert Inc itself is looked after in the eyes of OFT, and
  2. explaining past processes and history (below as well)
• explanation of history, etc, and pointing newcomers in the right direction

  • where "right" is a direction somewhat dissaligned with "left"

• assisting Assurance Team as and when...
  • I help with ATEs.
  • The assurance project leads to to an Audit over the Assurance (called the Registration Authority Audit in PKI-speak)

• aiming at our new Software Team

  • the final frontier - you too can be part of this

  • This was on my A-list, but it's slipped... I'm hoping to get back to BirdShack in 2012.

• Helping Policy Group with their task list

  • housekeeping: move new and existing DRAFT dox to the main website, and clean up.
  • handling the votes, checking the motions, reviewing the proposals

  • see who the heavy hitters on the Policy Group really are!

  • Assurance: TTPAssisted, Nucleas and perhaps a Legacy policy to be worked on.

  • there are lots of reviews needed: CPS, SP, CCS, RDL for POLICY
  • URL and terms tidyup in all policies
• working on a community site called fiddle in my copious spare time

  • I'm collecting questions in there for work on future challenges. Try the Triage Mini-C and help us to help you!

• assisting the Arbitration, Assurance, Events, Education teams

  • a.k.a. making their lives hell

The C-list is those things that I'd definitely do if there were three of me, 34 hours in the day, and a bottomless pot of fine coffee:

• Critical Systems -- preparing for audit against Security Policy

  • This we should look at as an Audit over RA is closing.

• Disaster Recovery

• OA need documenting into their new Manual

The X-list is the things I am no longer actively participating in due to circumstances:

• Board - decisions outside the above. I try and abstain.
• finance
• audit

I am available to recall events, explain history, etc.

Caught in the Act

• ATEs:

  • Sydney, Canberra, Melbourne, Brisbane.

  • Brisbane was split in two. The Intro also included the talk on Client Certs and a new talk on something else?

  • The two parts were captured in video: Intro - Making SSL Accessible and ATE proper.

  • following on from Prague, Budapest, Paris, London in 2009.

• Lightning Talk at Fosdem 2010 entitled "Client Certificates and SSO, the old-new thing". Notes that went with the talk. See also the Slides at ODP source and PDF output.

• plenty of Audit Presentations.

• October 2008, Invited talk at LISA08: An Open Audit of an Open Certification Authority", covers history of CAcert from 2006 to 2008.

Done!

• Internal Audit work
  • I worked from mid-2009 until end 2010 to bring CAcert to a state ready for an Audit over Registration Authority
  • (This would be with a new external and independent Auditor.)
  • As of 2010, CAcert entered a state where such an Audit could be attempted.

• member of the committee a.k.a. Board from mid 2009 until late 2011 (whenever the AGM comes up).

• Programmed the management of Audit Criteria - project CrowdIt!

  • now available in at least demo status at CrowdIt.

  • CrowdIt is a programmed wiki- or blog-like approach where each Assurer can claim over each Criteria, thus distributing the work of making our audit disclosures, and providing the road map for Auditor.

  • If you can think of a better name, tell me

• Policy Blitz

  • CCS now in DRAFT

  • I've written Editor's Guide to Good Policy.

  • I've re-organised the policy area in this wiki. Next step is to go through all the other pages on the wiki and re-org them into the new arrangement. This is a project that was identified late last year, but I didn't have time for it then.

  • Yo! SP goes to DRAFT. Again.

  • and Policy Group reaches the milestone!

  • Happy days ... we now have a Root Distribution License in DRAFT, written by Mark Lipscombe. This replaces the old 3pv-DaL which I had written and developed over a long time, and the NRP's old document which has been struck down.

  • Helping to get the TTP back on track with the new now-in-DRAFT TTP-Assisted Assurance Policy.

• AGMs:

  • I've written the Diary for 2010 and the Board report parts so as to help the next Annual Report.

  • Minutes of the last AGM

• ATEs:

  • Over 2010-2011, I gave 4 in Australia: 2010 ATE in Sydney, Canberra, Melbourne and a rather wet Brisbane.

  • 2 in USA at Washington DC and also Rutgers, south of New York, period June 2011.

• I was temporary Support Team Leader from m20091116.2 to m20100222.1. During those three months I documented the processes at Team, introduced the Triage team, brought in new team mates, liased with Arbitration, and watched while the new team dived into OTRS. Zoom! This crew has overtaken me, so I step aside and hand over to Neo.

• Birdshack: I've started copying the doco from Innsbruck MiniTOP into our SVN repository.

(Note, this above list only covers the period after the Audit termination, mid 2009.)

History: the Audit

I undertook the role of independent auditor from 20060101 until resignation 20090612. So as to meet the requirements of Audit, this work involved (a) helping CAcert to prepare all of the policy documentation, (b) helping to change CAcert's structure, and then (c) conducting (part of) a review of operations against that documentation. Here are some highlights:

• I observed and helped on the design of a new membership and community structure for CAcert that would meet the diverse requirements of all stakeholders. This is now embodied in CAcert's foundation documents (CCA, PoP, DRP, NRP's old D a L).

• I was part of the Advisory that helped CAcert back on its feet throughout 2007.

• I participated in the TOP of September 2007.

• I was observer on many of the processes of CAcert, including ManagementSubCommittee, Arbitration and many mailgroups.

• To push the policies into gear, I have been a persistent poster on the policy mail group.

• In October 2008, I was invited to talk at LISA, in San Diego. I presented An Open Audit of an Open Certification Authority" (very long!). This is a good history of CAcert from 2006 to 2008.

• As part of Audit's review of Assurance, I travelled to many cities and directly tested over 100 assurers. These results were presented at 20090517 MiniTOP on Assurance in Munich, and may have inspired the creation of the co-audit concept and team.

• I observed the systems transition from Sydney to Vienna (two locations) and then to Ede, Netherlands.
• I have visited the BIT facility many times. The most recent was the first audit review visit, 20090507.

Early 2009, enough documentation and enough practice was in place for the audit proper to start up. Unfortunately, this created too much of a strain on the organisation, and the budget, and the audit had to be terminated July 2009.

For these and other reasons I can no longer work in the role of independent Auditor for CAcert.

My many pages on Audit provide a wealth of information on what to do next. See AuditToDo for the running state, HelpingCAcert for general ideas, or ask me. The big numero uno planetary most-wanted target for Audit is: Software. Coming to a conclusion near you. apply now for your ticket.

Other stuff

• long-time poster now lurker on Mozilla's crypto / policy groups. I helped Mozilla to write their CA policy.
• BSc(Hons) in computer science from Uni. NSW, the spiritual birthplace of Australia's Unix tradition. I spent much of the period up to 1995 doing Unix work of one style or another.

• MBA from London, 1996. Lots of finance, marketing, econ, HR, etc.

• working on a Dipl. Security & Risk Management.

• From 1995, I got into Financial Cryptography and as architect and builder of money and finance systems. Good solid crypto stuff, solid (and I do mean solid) messaging, OOdles of Java, with some Perl and PHP.

• writer of various papers published in various forums.

• critic of PKI on both an observations level and a more serious survey in a paper form.

• I've lived in about 8 different countries across Europe, Americas, Australia, and there's still time for another 8 or so.

• I was part of Sonance, a foundation of artist-techies, which had a supporting role helping CAcert's hosting December 2007 through September 2008, and now provide a test VM.

CategoryHomepage