== Iang == Formally, I am an Assurer, [[Assurance/Co-Auditor|co-auditor]] and an Association member. === Dong! === [[Board]] purported to sack me with a document labelled [[Iang/Hearing|Hearing]]. For the review of the entire community. === Doing === These are on my A-List: 1. Keeping an eye on Policy Group, helping the policies forward. * housekeeping: move new and existing DRAFT dox to the main website, and clean up. * handling the votes, checking the motions, reviewing the proposals * see who the [[https://svn.cacert.org/CAcert/Policies/policy_group_decisions_summary.html|heavy hitters on the Policy Group]] really are! * URL and terms tidyup in all policies My involvement is far less intense these days. My B-list is those things that don't directly effect the above priority, but I help when called upon: * Board. As an appointed-not-voting member I try to limit my input according to these guidelines: a. watching that CAcert Inc itself is looked after in the eyes of OFT, and a. explaining past processes and history (below as well) * explanation of history, etc, and pointing newcomers in the right direction * where "right" is a direction somewhat dissaligned with "left" :) * assisting Assurance Team as and when... * I help with ATEs. * The assurance project leads to to an Audit over the Assurance (called the Registration Authority Audit in PKI-speak) * aiming at our new '''''Software Team''''' * the final frontier - [[Software/DevelopmentTeam|you too can be part of this]] * This was on my A-list, but it's slipped... see below with big push in 2012 summer. * assisting the Arbitration, Assurance, Events, Education teams * a.k.a. ''making their lives hell'' ;-) The C-list is those things that I'd definitely do if there were three of me, 34 hours in the day, and a bottomless pot of fine coffee: * Critical Systems -- preparing for audit against [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|Security Policy]] * This we should look at as an Audit over RA is closing. * [[SecurityManual#Disaster_Recovery|Disaster Recovery]] * OA need documenting into their new [[Brain/EducationTraining/OrganisationAssurance/Manual|Manual]] The X-list is the things I am no longer actively participating in due to circumstances and time: * Board - resigned at the AGM in late 2012. * finance * audit === Caught in the Act === * ATEs: * [[events/20100324Sydney|Sydney]], [[events/20101012Canberra|Canberra]], [[events/20101216Melbourne|Melbourne]], [[events/20110124Brisbane|Brisbane]]. * Brisbane was split in two. The Intro also included the [[Technology/KnowledgeBase/ClientCerts/theOldNewThing|talk on Client Certs]] and a new talk on something else? * The two parts were captured in video: [[http://blip.tv/file/4738222|Intro - Making SSL Accessible]] and [[http://blip.tv/file/4738580|ATE proper]]. * following on from Prague, Budapest, Paris, London in 2009. * Lightning Talk at [[http://fosdem.org/2010/schedule/events/cacert|Fosdem 2010]] entitled ''"[[ClientCerts|Client Certificates]] and SSO, the old-new thing"''. [[Technology/KnowledgeBase/ClientCerts/theOldNewThing|Notes]] that went with the talk. See also the Slides at [[https://svn.cacert.org/CAcert/Assurance/ClientCertsLighningTalk.odp|ODP source]] and [[https://svn.cacert.org/CAcert/Assurance/ClientCertsLighningTalk.pdf|PDF output]]. * plenty of [[AuditPresentations|Audit Presentations]]. * October 2008, Invited talk at [[http://www.usenix.org/events/lisa08/|LISA08]]: [[http://iang.org/papers/open_audit_lisa.html|An Open Audit of an Open Certification Authority"]], covers history of CAcert from 2006 to 2008. === Done! === * I did a risk analysis on the roots project. This was as an academic project leading to a Dipl. Security & Risk Management. * in (Northern) summer of 2012, I and an intern worked on the BirdShack project. * got the basic object and requests up and going in the Ouroboros framework. This was mostly the task of our intern. * Documented the above Orouboros pattern, a task that had been bugging me for many years. This was joint work with the intern. * Upgraded an Object database to support the REST/CRUD framework of the BirdShack middleware server. This was my work. The original ODB came from old corporate work, and was the authorship of Jeroen vG. The upgrade included software mirroring, better log distribution over files, replacements and deletions. * the BirdShack middleware server is in reasonable shape, but is somewhat useless without a frontend website to drive it, and backend signing servers. * I worked on a community site called fiddle * collected 100s of questions in there for work on future challenges. * collected co-audit information. * held the risk-analysis processing. * it was also a testbed for many ideas. * unfortunately I was unable to maintain a working, up to date Linux distro, so it fell of the net. Maybe one day I'll get it up and going on my Mac Mini which is far more robust. * Internal Audit work * I worked from mid-2009 until end 2010 to bring CAcert to a state ready for an Audit over Registration Authority * (This would be with a new external and independent Auditor.) * As of 2010, CAcert entered a state where such an Audit could be attempted. * member of the [[Board|committee a.k.a. Board]] from mid 2009 until late 2011 (whenever the AGM comes up). * Programmed the management of Audit Criteria - project CrowdIt! * now available in at least ''demo status'' at [[https://fiddle.it/app/crowdit|CrowdIt]]. * CrowdIt is a programmed wiki- or blog-like approach where each Assurer can claim over each Criteria, thus distributing the work of making our audit disclosures, and providing the road map for Auditor. * If you can think of a better name, tell me :) * Policy Blitz * [[https://svn.cacert.org/CAcert/Policies/ConfigurationControlSpecification.html|CCS]] now in DRAFT :-) * I've written [[Policy/Guide|Editor's Guide to Good Policy]]. * I've re-organised the policy area in this wiki. Next step is to go through all the other pages on the wiki and re-org them into the new arrangement. This is a project that was identified late last year, but I didn't have time for it then. * Yo! [[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|SP]] goes to DRAFT. Again. * and '''[[https://blog.cacert.org/2010/06/474.html|Policy Group reaches the milestone]]''!''''' * Happy days ... we now have a [[https://svn.cacert.org/CAcert/Policies/Agreements/RootDistributionLicense.html|Root Distribution License]] in DRAFT, written by Mark Lipscombe. This replaces the old 3pv-DaL which I had written and developed over a long time, and the NRP's old document which has been struck down. * Helping to get the [[TTP]] back on track with the new now-in-DRAFT TTP-Assisted Assurance Policy. * AGMs: * I've written the [[AGM/Diary/2010|Diary for 2010]] and the Board report parts so as to help the next Annual Report. * [[https://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-20100130/Minutes-20100130-AGM.html|Minutes of the last AGM]] * ATEs: * Over 2010-2011, I gave 4 in Australia: [[events/20100324Sydney|2010 ATE in Sydney]], Canberra, Melbourne and a rather wet Brisbane. * 2 in USA at Washington DC and also Rutgers, south of New York, period June 2011. * I was temporary [[Brain/Support/TeamLeader|Support Team Leader]] from [[https://community.cacert.org/board/motions.php?motion=m20091116.2|m20091116.2]] to [[https://community.cacert.org/board/motions.php?motion=m20100222.1|m20100222.1]]. During those three months I documented the processes at [[Support/Team|Team]], introduced the Triage team, brought in new team mates, liased with Arbitration, and watched while the new team dived into OTRS. Zoom! This crew has overtaken me, so I step aside and hand over to [[MichaelTänzer|Neo]]. * Birdshack: I've started copying the doco from Innsbruck MiniTOP into our [[https://svn.cacert.org/CAcert/Software/BirdShack/|SVN repository]]. (Note, this above list only covers the period after the Audit termination, mid 2009.) == History: the Audit == I undertook the role of independent auditor from 20060101 until [[https://lists.cacert.org/wws/arc/cacert-board/2009-06/msg00049.html|resignation 20090612]]. So as to meet the requirements of [[Audit]], this work involved (a) helping CAcert to prepare all of the policy documentation, (b) helping to change CAcert's structure, and then (c) conducting (part of) a review of operations against that documentation. Here are some highlights: * I observed and helped on the design of a new membership and community structure for CAcert that would meet the diverse requirements of all stakeholders. This is now embodied in CAcert's foundation documents ([[http://www.cacert.org/policy/CAcertCommunityAgreement.php|CCA]], [[http://www.cacert.org/policy/PolicyOnPolicy.php|PoP]], [[http://www.cacert.org/policy/DisputeResolutionPolicy.php|DRP]], NRP's old --(D a L)--). * I was part of the [[Advisory]] that helped CAcert back on its feet throughout 2007. * I participated in the [[TopMinutes-20070917|TOP of September 2007]]. * I was observer on many of the processes of CAcert, including [[ManagementSubCommittee]], Arbitration and many mailgroups. * To push the policies into gear, I have been a persistent poster on the policy mail group. * In October 2008, I was invited to talk at [[http://www.usenix.org/events/lisa08/|LISA]], in San Diego. I presented [[http://iang.org/papers/open_audit_lisa.html|An Open Audit of an Open Certification Authority"]] (very long!). This is a good history of CAcert from 2006 to 2008. * As part of Audit's review of Assurance, I travelled to many cities and directly tested over 100 assurers. These results were presented at [[https://svn.cacert.org/CAcert/Assurance/Minutes/20090517MiniTOP.html|20090517 MiniTOP on Assurance]] in Munich, and may have inspired the creation of the [[https://svn.cacert.org/CAcert/Assurance/Minutes/20100206BrusselsMiniTOP.html#co-audit|co-audit concept and team]]. * I observed the systems transition from Sydney to Vienna (two locations) and then to Ede, Netherlands. * I have visited the BIT facility many times. The most recent was the first audit review visit, 20090507. Early 2009, enough documentation and enough practice was in place for the audit proper to start up. Unfortunately, this created too much of a strain on the organisation, and the budget, and the audit had to be terminated July 2009. For these and other reasons I can no longer work in the role of independent Auditor for CAcert. My many pages on [[Audit]] provide a wealth of information on what to do next. See [[AuditToDo]] for the running state, [[HelpingCAcert]] for general ideas, or ask me. The big numero uno planetary most-wanted target for Audit is: '''''Software.''''' Coming to a conclusion near you. [[Software/DevelopmentTeam|apply now for your ticket.]] === Other stuff === * long-time poster now lurker on Mozilla's crypto / policy groups. I helped Mozilla to write their CA policy. * BSc(Hons) in computer science from Uni. NSW, the spiritual birthplace of Australia's Unix tradition. I spent much of the period up to 1995 doing Unix work of one style or another. * MBA from [[http://www.london.edu/|London]], 1996. Lots of finance, marketing, econ, HR, etc. * Dipl. Security & Risk Management from ASEC in Canberra. * From 1995, I got into [[https://financialcryptography.com/|Financial Cryptography]] and as architect and builder of money and finance systems. Good solid crypto stuff, solid (and I do mean solid) messaging, OOdles of Java, with some Perl and PHP. * writer of various [[http://iang.org/papers/|papers]] published in various forums. * critic of PKI on both an [[http://iang.org/ssl/|observations]] level and a more serious survey in a [[http://iang.org/ssl/pki_considered_harmful.html|paper form]]. * I've lived in about 8 different countries across Europe, Americas, Australia, and there's still time for another 8 or so. * Now checking out Africa, working on a WoT/money/android project. * I was part of [[http://evolve.sonance.net/|Sonance]], a foundation of artist-techies, which had a supporting role helping CAcert's hosting December 2007 through September 2008, and now provide a test VM. ---- CategoryHomepage