Teus, iang. Evaldo by chat.
Saturday 10:45 -> 19:00, an hour for lunch
Sunday 10:00 -> 15:20], an hour for lunch
CAcert formal documents
- status and review conducted over following documents
Security Manual -- SM
requirements derive from iang from DRC
ask board to vote on motion: that the security manual be a fully open and published document.
teus to negotiate with Pat in email
- a minimal threat model to be covered
- threat model to include those threats necessary from the DRC requirements
- first thing is to think of an overview of the chapters
- from those chapters, an insight as to who needs to provide input
in syncronisation with Audit work, iang
iang to assist in first review
for operational information, input from philipp is required
- month 1: chapters + insights
- month 3: 1st cut document for review against DRC
month 4: list of changes from review against DRC, by iang
- month 6: completed SM, incorporating changes.
funding by NLnet allocates 3000 euros for each phase (of 4) for documentation and other CAcert projects. management subcommittee (m-sc) to vote on motion: to allocate a documentation budget of 3000 euros to SM project. So voted on chat. msc20071208.1
- negotiate with NLnet to move SM from phase 1 to phase 2 of funding plan
Pat: if you have any comments, please let teus know asap.
Pat reports to management subcommittee (Teus + Evaldo).
documents part to be updated to refer to Policy On Policy
go to board and ask to vote on motion: to create a Systems and Security SubCommittee, as per the CCS
- some effort put into CCS but left half-reviewed.
- Guillaume to take up the task of guiding the Code-signing policy
- looks like the vote to drop the current copy-of-id requirement has met rough consensus
- which means code-signing has no other requirement than 100 points
iang suggests that the Assurer Test be a requirement:
- the Assurer Challenge establishes a standard, albeit not the most appropriate standard for code signing
- the Assurer Challenge covers most of the material needed
- the test helps CAcert by bringing in another Assurer
- a customised test for code-signing can then be written in the interim
- suggest change the name of CATS to "challenge and training system" so as to make it more generally descriptive
CAcert Community Agreement
- status of suggested changes -- now in the document
- privacy clause
- contributions clause
- other minor changes made, and now no pending work to be done
- it is moved to the policy group that the document move to POLICY status in one month
- Teus has so posted.
questions in CATS -- make a general advisory to the CATS community to check docs & questions
- internal PR
- we have to advise the CAcert Community that this new policy is in place
- (as well as the NRP-DaL)
teus to prepare mail that outlines text of posts
- post to the general CAcert maillist
- post on blog
mail to go to every registered user from Greg as President one week after above blog & core maillist posts
philipp to prepare for a general mailshot in 10 days.
daniel to collect all bounces and/or rejections. Evidence to be collected for potential later action.
- move document onto main website under the name of /policy/CAcertCommunityAgreement.html
prepare the change requests as per CCA1.1. iang to dig out old description
NRP- Disclaimer and Licence
- place on website
- linkings to text need to be excessive and frequent
iang to dig out specification and send to Johan.
- internal PR as above
- one line added to CCA mailshot, no more
- review of the questions in CATS to reflect and push these new docs
3pv- Disclaimer and Licence
- explored need for a special document for 3rd party vendors / distributors
iang write to Mozilla to explore their thoughts on it
- we have done a brainstorming on what possibilities, ideas could be introduced
- essentially it is a rewrite of the NRP-DaL
- collected comments from the list discussion
- 1st cut written and onto wiki
reviewed and now at v0.2, teus to post to Policy group.
- the code-signing policy is being led by Guillaume.
- systems documentation is coming?
photos have been taken by Ridi ==> to Philipp
- Robert has prepared some diagrams but they may not be representative
- security work is on hold until after the move
- security will likely suffer during the move
- management, sysadms in the team
- m-sc has voted to bring Oophaga in as systems administrators for team for supporting NL
- Oophaga is now taking on responsibility for systems administration in NL
- Oophaga has approached more sysadms in 3 companies (snw, compata, atcomp)
- decided not to approach user groups.
m-sc votes on the target: one person per defined service, and one backup-sysadm for each. So voted on chat. msc20071208.2
- Software Development:
- michael to be added to team
- philipp agrees, intends to resign as officer
- for the moment there will be no officer for the team
- email system
- contact Daniel + Philipp and get some feedback on recent changes
- do we need more people?
- actions related to EU requirements
- this may be a job that is too big for Rasika
- need to seek a local team with deeper knowledge in NL law
- risks of data controller
- according to the Dutch Act, the data controller has a lot of power
- that power is largely in excess of and breaks our overall security policy
- opens backdoor/internal attack
- can we get legal advice on this?
- can we create a data controller that acts according to CAcert's interests?
- can we limit the power?
valer, teus + greg to communicate and discuss funding proposal
- adjust phase 1 to be approximately the current status which would be all business policies in DRAFT, approx, plus NL move
- phase 2 to include SM, dual control
- acceptance, root cert inclusion
teus to chase Shane for anglo auditor for sign-off
- rewrite the MoU?
- PR over audit: possibility to look in usenix/LISA december meeting
- fold PR, House Style, merchandise into one team
- create team with Greg, Henriks, Johan
- contact with press
- in Germany is done by Henrik
- elsewhere, by Greg? need to ask.
- no officer to be appointed for now
- decision on entire move: msc20071209.1, teus to take to evaldo over chat.
- certificate login is of strategic importance to CAcert
- for this reason CATS is to remain separated
- need to find a developer to assist Michelle, HR should look in to it
evaldo (stakeholder of machine) to talk to Michelle, Michael, ascii
- propose to m-sc how the CATS team should progress
- Ted accepted the team leadership of the Education team
teus to ask him for status
- has to be pushed...
Dutch SubPol has been proposed,
- a Dutch request for OA is pending
- 2 votes, need another.
- Assurance Officer is not appointed
Greg: check the status of US/state SubPol
- propose a change to the master Policy to incorporate common elements?
- nobody in particular is responsible for the mission, rather it is a collective responsibility
- if the mission statement is disagreed, the community can split
- the mission must then be agreed by the community
- mission on the website is in conflict in itself, etc
- after 8th (CCA is POLICY) let's start a discussion on the mission
wiki. So voted on chat. msc20071208.3
- make an "equate" between "board" and "committee"
- Teus and other new board members to be added to wiki BOARD page access ("trusted group") ??
- secretary (Evaldo) to get admin rights on wiki
- appoint more/new wiki administrator(s) to take over wiki
- S/MIME rewrite of the arrangement
- create the roadmap of Thunderbird changes
- find some student/other programmer to work on this
- ask NLnet for funding
- top meeting review