Minutes of the "Top" meeting 2007 September 17-21

Meeting called to order 2007-09-17 09:20. Present: (Board) Greg Rose, Robert Cruikshank, Evaldo Gardenali, (Advisory) Jens Paul, Teus Hagen, Ian Grigg.

m20070917.1: Minutes of previous Board Meeting are approved.

Jens reviewed arrangements for the week.

Greg to email Philipp regarding times and titles for day 4 agenda.

Robert reviewed finances etc. There are three accounts (2 with Westpac and one with Credit Unions Australia). Use PayPal and PayMate for incoming money. Should think about moving to a more international thing like PayPal exclusively. Account name at PayPal is confusing ( paymate@cacert.org !) DUNS number is set up (75-605-6102). Discussion of assets; one relatively new server is in our possession, older ones are not. Discussion of income sources. Robert feels we are now in good enough shape to be able to do legal reporting. He has put together a "Treasury Compendium" of the process he went through as well as the passwords etc. This will be shared with board members for safe keeping. Discussion about changing bank accounts to something more international. Currently not urgent to fix this. Agreed to pay a back invoice for colocation fees, and recover our old servers.

m20070917.2: Agreed that we should make our financial year July-June (fits well with November AGM).

(defer m20070917.3: Agreed that the President will make final contact with the old board, requesting either that the old hardware be handed over or at the least that they assure us any data on the machines has been destroyed.)

Review of past actions by CAcert board. Unless otherwise noted, previous actions are supported. Need policy for email addresses. Review status of super-assurers. Domains are owned by CAcert. Review status of source code. "Advertise on Google", despite being passed, doesn't seem to have happened. "Limits on Points Growth" was agreed but has never been implemented; this needs to be reviewed. "Board remunerations" was passed but not implemented (no payments appear to have been made). Review of "Auditor instructs no deals" necessary (later in meeting).

m20070917.3: Overturn previous board decisions "advertise on Google", "Limits on points growth", "Board remunerations".

Assets.

m20070917.4: That the board take control of the domains, and the sysadmins take control of DNS servers, thus effecting dual control.

m20070917.5: CAcert will vigorously defend use of its name, including for example stating that "CAcert is a trademark of CAcert Inc." in documents.

Planning for next AGM.

  1. membership register -- Evaldo says is a mess. There are 51 email addresses, corresponding to 50 individuals, but there is no information about joining date, currency, and in a few cases, nothing known except the email address. Agreed that Evaldo will send mail to past and existing members encouraging them to get current.
  2. requirements, allocation of tasks: Date of AGM to be 17 November 2007 22:00UTC, on IRC. Evaldo to issue preliminary notice, then a formal notice before 21 days.
  3. recruitment of new members. Greg Stark and Henrik Heidl to write a draft asking people to join, talking about mission, and so on.
  4. recruitment of new directors. Current board and advisory to work towards a high-quality slate of candidates for the next election.

  5. motions suggested on wiki at NextAnnualGeneralMeeting : Members of the association should also be registered users of the service (can change the bylaws to require CAcert certificate signature).

  6. mission of the Inc., responsibilities Inc. (To be discussed day 5)

m20070917.6: We will direct payment for membership to PayPal. In the future we will shut down the PayMate account.

m20070917.7: Election to be for 5 members of the Board of Directors. Board positions to be decided and announced within 14 days after the election.

m20070917.8: (Non-board operational) Officers of the project of the organization should be financial members of the association; the Board can make exceptions to this rule.

EU DPA

m20070917.9: The board accepts that CAcert is or intends to be subject to the DPA, and action is required to be in full compliance with this.

m20070917.10: The Board gratefully acknowledges Duane Groth's vision in creating CAcert.

m20070917.11: That the treasurer be authorized to pay budgeted expenses and minor normal expenses less than AU$100 without requiring authorization from the board.

Organization Chart: there was extensive discussion of th organization chart, and how to fill the various holes. What seems to work is to have small progress, getting people to do individual tasks, and they tend to grow into bigger roles. Some discussion about focusing on Scandinavia, UK, USA, and how to do better in those places. We serve the markets as we can.

m20070917.12: Agree to fund the Systems 2007 fair in Munich, DE (est E.1724)

Meeting adjourned 18:10

Meeting resumed 2007-09-18 9:00

Minor change to agenda order.

Organizational Assurance Policy

Jens introduces the OAP. The proposal was examined in detail and substantial changes made. The document will be re-introduced for approval later.

HR issues

Reiterate discussion from yesterday. Emphasis on recruiting particularly from UK and Scandinavia, before assigning officer's positions. Discussion continues about potential board candidates.

Risks, Liabilities, and Obligations

The Auditor introduced the issues. The board reviewed the proposed documents.

m20070918.1: The Board approves the document titled "Non-Related Persons Disclaimer and License". In an abundance of caution, the document will also be presented for ratification at the AGM.

m20070918.2: The Board agrees in principle to the process of arbitration for dispute resolution.

m20070918.3: The Board approves the Dispute Resolution Policy as discussed in the meeting.

The board discussed the difficulty for a new user to tell the difference between "official" wiki pages, as opposed to working pages, advice pages, and so on. The board believes that the Documentation Officer is in charge of this problem. Our suggestion is to split the wiki at a high level, to have write-controlled pages for official use, policies, etc.

While discussing the RUA, the board noted that there is no mention of retaining assurance documents in the "web of trust" web pages. The Documentation Officer is requested to rectify this.

We reviewed the RUA, and among other things noted that the privacy section needs to be reviewed by the Privacy Officer.

We noted that the introduction of a monetary limit on liability changes the philosophy of CAcert; unfortunately the requirements of the legal framework within which CAcert exists appear to make such an admission of liability necessary.

m20070918.4: The Registered User Agreement as discussed and modified is promoted to DRAFT status as written in the (not yet approved) Policy on Policies, and is therefore working policy for the community. The period of DRAFT for this document is until the AGM.

Principles

m20070918.5: The principles part of the Mission and Principles document is approved for the time being, but it is expected to evolve further.

There was discussion over dinner of a Mission (or goal). "Reasonable Security for the Community".

Meeting adjourned about 21:30

Meeting resumed 2007-09-19 09:10

Audit stuff

History

Discussion of the history around an independent (of WebTrust) audit; aimed at entering Mozilla's root list. Real goal is to try to get into "Mainstream browsers". Also intended to assure us of security of our internal processes, risks, etc. We choose to aim at Mozilla first. We reviewed the DRC (David Ross Criteris). Auditor considers that the Board should be in charge.

m20070919.1: The board declares that it is up to speed and is in charge of CAcert assets and procedures.

Auditor now believes that we can resume negotiation with other parties eg. Linux distributions.

Code Auditing: "ascii" (Francesco Ongaro) is doing a code audit on his own schedule. He has found several severe bugs; followups were delayed. There has been no general call for code review. Agreed that there should be more opportunity for community review. System administration and development should be separated ASAP. After discussion, it seems clear that a committee should take on the task of getting a system administration team in place, and the move to Oophaga in progress.

m20070919.2: Create a management sub-committee tasked with certain "CEO-like" duties, in particular staffing. The sub-committee consists of Jens Paul, Teus Hagen, Evaldo Gardenali, with Ian Grigg to have an observer/advisor status.

Internal Audit: the management sub-committee should also be looking for a volunteer for the Internal Auditor position.

Quality control: ditto.

Discussion about the CCS; movement is necessary. The big holdup seems to be the security manual. We reviewed the existing outline. It needs work. The joke copy of the CAcert security handbook should be "svn removed", as it was never meant to be taken seriously (we hope).

Left over from yesterday, we reviewed the changes to the DRP.

m20070919.3: The draft Dispute Resolution Policy is approved to move to the status of POLICY.

m20070919.4: The Policy on Policy is approved by the board and moved to DRAFT status, until the AGM. Note that this decision moves policies, from now on, under the control of the Policy mail list.

Governance

We discussed this agenda item. Oversight by the auditor has terminated as agreed in the motion above. The "four eyes" control and dual control duties will be defined in the Certification Practice Statement, to be agreed as a policy. The Management subcommitee should take this as a priority task.

Systems issues

The hardware is soon to be under control of Oophaga. With this change, we make progress towards dual and/or four eyes control of administration. Day 4 is devoted to systems issues. When should the audit be restarted? The logical time seems to be soon after the machines are moved to the Netherlands. We agree that we have to put in procedures that guarantee the security of the root keys. These procedures are more strict than the previously applied procedures, and obviously did not apply to the old root keys. Therefore, once the new procedures are in place, we will create new root keys and deprecate use of the old keys.

Audit funding

We discussed and updated a proposal for funding of the audit.

m20070919.5: The proposal to NLnet for funding continuation of auditing is accepted by the board and will be communicated to NLnet by the President before October 1.

Sustainability Funding

We conducted a brainstorming session around the subject of sustainability. The following is just a list of ideas. Don't read anything into it.

* sell shirts, merchandise * encourage donations

* sell related items like flash drives, smartcard readers * accelerator cards for servers? Associated consulting? * courses, courseware, testing, accreditation, tutorials * more ad space * CA rating service? * review service to check security of other pages * funding from third parties (BSI funds GPG, NLnet)

* conference * fees (not for certificates) * CAcert adds value to other people's conferences / exhibitions

* writing articles

* cut of fee for assurance (org or individual) * sell security services * finder's fee for recommending someone else for security service / legal work