Audit Report 20080802

The latest of the audit reports, for July-August, is now on the wiki. As this report and CAcert’s current situation are almost totally dominated by critical systems issues I shall only list those here. First, the big direct issues:

  1. The new plan for critical systems is now in place and approved by Board of CAcert.
  2. The Vienna systems will be shutdown on 30th September. This is a slightly variable date, it could change, but not substantially. The intention is that they will not be restated, see below.
  3. The data will be incorporated into the Netherlands machines over the days following that date.
  4. So, service to CAcert will be interrupted from 30th September.
  5. Until the job is done. There are estimates as to how many days this will take, but I won’t repeat them here. It will take as long as it takes.
  6. Which means, if the migration does not succeed, then CAcert may be left without an operating CA.
  7. I’ll be there. If you are in the Netherlands in the first week of October, and would like to help, let us know. We might need it!

The above plan is the Number One Thing on everyone’s desktop. Other issues that bear mentioning are these, because they effect the plan:

  1. The Vienna systems are Audit Fail. They were always a temporary arrangement, almost emergency status, and represent no base for the future nor a base for a responsible, professional CA. Somewhere, the line has to be drawn, and the board has agreed it is time to draw that line. 30th September. Hence, above, there is no intention to fall-back to the Vienna systems.
  2. The old Roots are Audit Fail. This is because there is no clear history, no documentation, and sanity checks don’t change that view. So, a task for the Dutch team is to create new roots, but only when they’ve got everything else sorted out, and only after the process is properly documented. (As an aside, the roots situation was reported and agreed with the board September 2007.)
  3. There was a security bug reported last month by a member. The handling of that bug was good, as it was more or less dealt with, within around 12 hours, and notified to the community. That’s the good news.
  4. The bad news is that the bug was rather bad, and likely indicative of others of the same class. (If you are into PHP, just think register_globals …) The software development team has a lot of work to do.
  5. Clearly, software development also suffers from the same lack of people as with the systems administration team. After the critical systems is put onto a sound footing, management will have to look at the development side as well. Meanwhile, you can help if you have PHP skills. Ask to get access to the test system, and ask for a small task to look at. There are many!
  6. Meanwhile, there is little benefit in shooting the messenger. It’s impolite and a waste of a good bullet. Security is a process: it is about fixing and improving. It decidedly isn’t about pretending there are no bugs, nor that our code is perfect or even high quality. Our thanks to Kriss for debunking that myth.

Some have said that this report looks overly dark. If anything, it is too polite, not dark enough: CAcert has had 2 years to prepare the critical systems, and has not. It has had over a year in the current situation, and not done the migration. The issues are very clear, and have been repeated maybe a hundred times, so I won’t list them again.

The time has come for CAcert to decide whether you want an audit or not.

That’s it from audit. Next report will be (not before) November. Either it will be lighter, or darker. Over to you!

Leave a Reply