To All Assurers,
A new Password Recovery w/ Assurance procedure has been established thru Arbitration case a20100407.1.
The procedure is outlined under https://wiki.cacert.org/Support/PasswordRecoverywithAssurance
Continue reading
To All Assurers,
A new Password Recovery w/ Assurance procedure has been established thru Arbitration case a20100407.1.
The procedure is outlined under https://wiki.cacert.org/Support/PasswordRecoverywithAssurance
Continue reading
This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:
We now have a complete set of policies for audit !
We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:
Audit => Criteria (we call them DRC) => CCS (the index)
Then, with CCS in hand, the Auditor can find the parts needed:
--> Policies / CCS ==----> critical systems \ --> roles in control, etc
CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.
Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:
Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!
Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.
If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.
Thank your policy group, and help out with reading and voting!
35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:
Name | # | Decisions |
---|---|---|
Tomáš | 10 | p20100510,p20100426,p20100401,p20100119,p20100113,p20091108,p20091106,p20090706,p20090327,p20081016 |
Faramir | 10 | p20100510,p20100426,p20100401,p20100326,p20100120,p20100119,p20100113,p20091106,p20090706,p20090327 |
Lambert | 10 | p20100426,p20100401,p20100326,p20100113,p20091108,p20091106,p20090706,p20090327,p20090105.1,p20081016 |
Philipp D | 9 | p20100510,p20100426,p20100401,p20100113,p20091106,p20090706,p20090327,p20090105.1,p20081016 |
Pieter | 8 | p20100510,p20100426,p20100401,p20100306,p20100120,p20100113,p20091106,p20090327 |
Iang | 8 | p20100510,p20100426,p20100306,p20100120,p20100119,p20100113,p20091106,p20090706 |
Ulrich | 7 | p20100510,p20100426,p20100401,p20100326,p20100306,p20100120,p20100119 |
Ted | 7 | p20100510,p20100120,p20100119,p20100113,p20091106,p20090706,p20081016 |
Brian | 7 | p20100510,p20100426,p20100401,p20100119,p20091108,p20091106,p20090706 |
Morten | 6 | p20100510,p20100426,p20100306,p20100120,p20100119,p20100113 |
(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)
We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.
This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.
Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:
Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!
And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for 😉
Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:
“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.
During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”