As mentioned by Maurice, I presented this at LISA2008:
An Open Audit of an Open Certification Authority
How does a lightweight community Certification Authority (“CA”) engage in the heavyweight world of PKI and secure browsing? This talk tracks the systems audit of CAcert, an open-membership CA, as a case study in auditing versus the open Internet, community versus professionalism, quality versus enthusiasm. It will walk through the background of “what, why, wherefore an audit,” look at how CAcert found itself at this point, and then walk through some big ticket items: risks/liabilities/obligations; assurance and what’s in a name; disputes and reliance; and systems and security.
Can CAcert deliver on its goal of free certs? The audit is into its 3rd year as of this writing; and remains incomplete. Some parts are going well, and other parts are not; by the end of the year 2008, we should be able to check all of the important areas, or rethink the process completely. Hence, finally, the talk will close with progress and status, and recommendations for the future.
There are slides and a very long paper on my paper’s page. As this was a talk invited by LISA, and as the job of audit is to look for the bad things, not the good things, this talk is quite brutal in parts. Not for the squeamish.