Formally, I am an Assurer, co-auditor and an Association member.
These are on my A-List:
- Keeping an eye on Policy Group, helping the policies forward.
- housekeeping: move new and existing DRAFT dox to the main website, and clean up.
- handling the votes, checking the motions, reviewing the proposals
see who the heavy hitters on the Policy Group really are!
- URL and terms tidyup in all policies
My involvement is far less intense these days.
My B-list is those things that don't directly effect the above priority, but I help when called upon:
- Board. As an appointed-not-voting member I try to limit my input according to these guidelines:
- watching that CAcert Inc itself is looked after in the eyes of OFT, and
- explaining past processes and history (below as well)
- explanation of history, etc, and pointing newcomers in the right direction
where "right" is a direction somewhat dissaligned with "left"
- assisting Assurance Team as and when...
- I help with ATEs.
- The assurance project leads to to an Audit over the Assurance (called the Registration Authority Audit in PKI-speak)
aiming at our new Software Team
the final frontier - you too can be part of this
- This was on my A-list, but it's slipped... see below with big push in 2012 summer.
- assisting the Arbitration, Assurance, Events, Education teams
a.k.a. making their lives hell
The C-list is those things that I'd definitely do if there were three of me, 34 hours in the day, and a bottomless pot of fine coffee:
Critical Systems -- preparing for audit against Security Policy
- This we should look at as an Audit over RA is closing.
OA need documenting into their new Manual
The X-list is the things I am no longer actively participating in due to circumstances and time:
- Board - resigned at the AGM in late 2012.
Caught in the Act
plenty of Audit Presentations.
I did a risk analysis on the roots project. This was as an academic project leading to a Dipl. Security & Risk Management.
in (Northern) summer of 2012, I and an intern worked on the BirdShack project.
- got the basic object and requests up and going in the Ouroboros framework. This was mostly the task of our intern.
- Documented the above Orouboros pattern, a task that had been bugging me for many years. This was joint work with the intern.
Upgraded an Object database to support the REST/CRUD framework of the BirdShack middleware server. This was my work. The original ODB came from old corporate work, and was the authorship of Jeroen vG. The upgrade included software mirroring, better log distribution over files, replacements and deletions.
the BirdShack middleware server is in reasonable shape, but is somewhat useless without a frontend website to drive it, and backend signing servers.
- I worked on a community site called fiddle
- collected 100s of questions in there for work on future challenges.
- collected co-audit information.
- held the risk-analysis processing.
- it was also a testbed for many ideas.
- unfortunately I was unable to maintain a working, up to date Linux distro, so it fell of the net. Maybe one day I'll get it up and going on my Mac Mini which is far more robust.
- Internal Audit work
- I worked from mid-2009 until end 2010 to bring CAcert to a state ready for an Audit over Registration Authority
- (This would be with a new external and independent Auditor.)
- As of 2010, CAcert entered a state where such an Audit could be attempted.
member of the committee a.k.a. Board from mid 2009 until late 2011 (whenever the AGM comes up).
Programmed the management of Audit Criteria - project CrowdIt!
- Policy Blitz
CCS now in DRAFT
I've written Editor's Guide to Good Policy.
- I've re-organised the policy area in this wiki. Next step is to go through all the other pages on the wiki and re-org them into the new arrangement. This is a project that was identified late last year, but I didn't have time for it then.
Yo! SP goes to DRAFT. Again.
Happy days ... we now have a Root Distribution License in DRAFT, written by Mark Lipscombe. This replaces the old 3pv-DaL which I had written and developed over a long time, and the NRP's old document which has been struck down.
Helping to get the TTP back on track with the new now-in-DRAFT TTP-Assisted Assurance Policy.
Over 2010-2011, I gave 4 in Australia: 2010 ATE in Sydney, Canberra, Melbourne and a rather wet Brisbane.
- 2 in USA at Washington DC and also Rutgers, south of New York, period June 2011.
I was temporary Support Team Leader from m20091116.2 to m20100222.1. During those three months I documented the processes at Team, introduced the Triage team, brought in new team mates, liased with Arbitration, and watched while the new team dived into OTRS. Zoom! This crew has overtaken me, so I step aside and hand over to Neo.
Birdshack: I've started copying the doco from Innsbruck MiniTOP into our SVN repository.
(Note, this above list only covers the period after the Audit termination, mid 2009.)
History: the Audit
I undertook the role of independent auditor from 20060101 until resignation 20090612. So as to meet the requirements of Audit, this work involved (a) helping CAcert to prepare all of the policy documentation, (b) helping to change CAcert's structure, and then (c) conducting (part of) a review of operations against that documentation. Here are some highlights:
I observed and helped on the design of a new membership and community structure for CAcert that would meet the diverse requirements of all stakeholders. This is now embodied in CAcert's foundation documents (CCA, PoP, DRP, NRP's old D a L).
I was part of the Advisory that helped CAcert back on its feet throughout 2007.
I participated in the TOP of September 2007.
I was observer on many of the processes of CAcert, including ManagementSubCommittee, Arbitration and many mailgroups.
- To push the policies into gear, I have been a persistent poster on the policy mail group.
As part of Audit's review of Assurance, I travelled to many cities and directly tested over 100 assurers. These results were presented at 20090517 MiniTOP on Assurance in Munich, and may have inspired the creation of the co-audit concept and team.
- I observed the systems transition from Sydney to Vienna (two locations) and then to Ede, Netherlands.
- I have visited the BIT facility many times. The most recent was the first audit review visit, 20090507.
Early 2009, enough documentation and enough practice was in place for the audit proper to start up. Unfortunately, this created too much of a strain on the organisation, and the budget, and the audit had to be terminated July 2009.
For these and other reasons I can no longer work in the role of independent Auditor for CAcert.
My many pages on Audit provide a wealth of information on what to do next. See AuditToDo for the running state, HelpingCAcert for general ideas, or ask me. The big numero uno planetary most-wanted target for Audit is: Software. Coming to a conclusion near you. apply now for your ticket.
- long-time poster now lurker on Mozilla's crypto / policy groups. I helped Mozilla to write their CA policy.
- BSc(Hons) in computer science from Uni. NSW, the spiritual birthplace of Australia's Unix tradition. I spent much of the period up to 1995 doing Unix work of one style or another.
MBA from London, 1996. Lots of finance, marketing, econ, HR, etc.
Dipl. Security & Risk Management from ASEC in Canberra.
From 1995, I got into Financial Cryptography and as architect and builder of money and finance systems. Good solid crypto stuff, solid (and I do mean solid) messaging, OOdles of Java, with some Perl and PHP.
writer of various papers published in various forums.
- I've lived in about 8 different countries across Europe, Americas, Australia, and there's still time for another 8 or so.
- Now checking out Africa, working on a WoT/money/android project.
I was part of Sonance, a foundation of artist-techies, which had a supporting role helping CAcert's hosting December 2007 through September 2008, and now provide a test VM.