This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

1. The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
2. Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
3. One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
4. Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for

Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

You have probably seen messages flying around about the ATEs, or Assurer Training Events, and you’re probably wondering whether it applies to you. The answer is:

This is your event, to update and to participate. More than that, it feeds into audit. This connection may be a little non-obvious, so this post is about explaining it to those wavering on their path to an ATE near them as to why you should help.

Recall that CAcert has today 3460 (and growing) Assurers around the world, and that they provide the critical information feeding into the certificates for the entire community.

That line — from Community Member to verification of information to the certificate — is of key interest to the Auditor. The certificate part is well-understood but what is less well understood is the verification part. How does the Auditor verify the actions of 3460 people spread across dozens of countries? Are they doing the job? Looking after Members? Mostly harmless or causing risks to rise?

Verifying the Assurers across the planet is a challenge we must conquer, because our audit criteria says “A.2.y The CP details how the CA verifies that [Assurers] operate in accord with the CA’s policies.” Indeed, the auditor for a big famous-name CA simply declined to audit their web of trust, and the CA found it in its heart to drop the entire thing.

But it can be done. As auditor, I visited around 8 countries in 2009 for a tiny budget of €1500 and verified personally around 80 Assurers. The German community did a similar thing across Germany, and together these results gave us a good showing. It was still marginal; we need better and broader coverage. We need scaleability and we needed process, but we had our start.

From the 2009 experiment, the Assurance Team has designed a comprehensive programme to meet the audit criteria A.2.y, and the ATE is the leading part of that. At the Assurer Training Event, you the Assurer are brought up to date with changes (dramatic), informed on essential checks (of course) and then we individually record that process (carefully and slowly). All this is then collated and prepared for an end-of-season report.

The 2010 season is now underway. If you want to help CAcert’s audit process and improve on the results below, you should look out for an ATE near you. Who wouldn’t want to be involved??? Better yet, ask at events@c.o for how to run one.

ATE-Sydney is programmed! Masa has made available a lecture theatre at Sydney University’s IT school for an ATE on evening of 24th March, 6:00pm. More details on the wiki.

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in NSW coming soon, or mail me with suggestions.

I’m in the vicinity of Canberra - Sydney for next 2 months, and looking to do ATEs. If you have some sort of venue or facility, and there are Assurers in your area, let me know.

Additions: Sydney is rolling…

iang @ the normal address, for the Assurance Team.

Liebe Freunde der Freien Software,

am 15. Jänner 2010 findet ein Fellowship-Treffen in Wien statt. Wir treffen uns ab 18:00 Uhr in der Bibliothek im Metalab, Rathausstraße 6.
Die Agenda starten wir um 19:00 Uhr.

Folgende Punkte stehen dieses Mal auf der Tagesordnung:

• Rückblick Vortrag TU Graz
• Ausblick 2010
• GnuPG Keysigning (dezentralisiert), auch CAcert assuren mögl.
• Diverses
• gemütliches Beisammensein

Wie immer richtet sich die Einladung an alle, die sich für die FSFE oder für Freie Software interessieren. Wir freuen uns auf eine große Teilnehmerzahl!

Viele Grüße,
–
Das österreichische Team der Free Software Foundation Europe
* Werde ein Fellow der FSFE und verteidige deine Freiheit! *
*** https://www.fsfe.org *** https://fellowship.fsfe.org ***

In the last few weeks, our one Support Engineer (Werner, working mostly alone) has processed 65 support requests, 40 in the last week. Each case generates 5 mails. At the moment, the SE works with an absence of system, on a clunky silly mailing list, so there is no workflow assistance available to him. He has to remember each of those cases over the days-cycle time, and relate them to all the other emails.

Errors are inevitable. I’ve so far seen and counted 3 errors or blunders. Which means we’re talking around a 5% error rate. That’s to be expected when building a new system, working with fresh people, with minimal historical help, and working through a flood of a backlog with crappy technical support and poor information. Also known as, drowning.

(Obviously, in time, we want to reduce that to around 1-2%. When I did my 5-10 cases a month back, I generated at least one error. I’m not good enough for Support, I’m up in the 10-20% range.)

You can help us by pointing out the errors, directly, and suggesting what it is you would rather have seen. Positive suggestions are always appreciated.

The Triage team — Wolfgang, Martin, Michael, Joost — have to this point worked through outstanding emails back to July this year. See the attached for a picture of today’s Inbox. *Yes, it’s more or less empty!* They got there last night, and have reached the target I set them, to get back to July.

That means a human has processed every one of approximately one thousand support emails received over the last 5 months. There’s probably dozens of errors in their processing, but that misses the point.

In the next month or so, some or all of the Triage people above will get through their ABCs and become SEs or Support Engineers. At that point Werner will have help. At that point, we’ll be able to improve our systems. And, we’ll need more Triage people!

You can help us by signing up to Triage. Let me know if you fit the profile: Assurer, great with mail / MUA, etc, time to handle lots of little, quick tasks, good with English reading (other languages an advantage), and you grok the community (CCA, DRP and you want to know more about Security Policy but were always afraid to ask…). IRC.

We need people outside the European evening slot…

iang,
interim, temporary, impatient Support t/l,
looking for any excuse to get sacked!

After a recent policy group decision p20091106, Philipp moved the DRAFT CPS onto the policy page on the main website, and also got rid of the old document that was at cacert.org/ policy .php with a redirect.

We started writing the CPS or Certification Practice Statement way back in early 2006. It was the first document to be considered, and the last to get to DRAFT state. This is in part because stuff was thrown out of it into other more appropriate documents: Organisation Assurance Policy, Dispute Resolution Policy, Policy on Policy, Assurance Policy and Security Policy all took their roots from this area, and for a while, we concentrated on those. CPS became the one that couldn’t be finished until the others were stable.

Curiously, there was already a fairly good effort at a CPS in place, written by Christian Barmala. This was a pretty good effort really, and it formed the starting point. There were two problems with the old document, which were that CAcert didn’t own or (totally) control it, and it had never faced audit scrutiny. So the decision was made pretty early on to rewrite it, and looking back, that was the right one.

Today’s move marks the removal of that old document. But our thanks go to Christian for giving us a starting point, to study and build on. Major influences on this new CPS include Philipp Güring, Jens Paul, Philipp Dunkel, Teus Hagen, Daniel Black in time order. And of course, myself, as eternal critic.

If you’re wondering, what next? then hop on over to the policy group and lend a hand. They’ve got a lot to do: CCS, finish the CPS and SP, PoJAM, TTP, Remote/Desert, Tverify, Code-Signing. Recently, the policy group just made it easier to get IDNs (a change that made it into the CPS).

And, if you’re wondering why it took 3.5 long years to get the CPS to where it is, you’re asking the wrong question. To paraphrase a recent post;

“ask not when your policy is written and ready for you, ask when you are ready to write your policy”

One of the things I recently discovered (to my surprise) is that client certs used in browsers are out of scope for browser policy purposes. This is because *the server* is the relying party, and there is no decision of reliance to make in the browser. So the vendor doesn’t care.

And, as we know, for the most part servers require a fair bit of config to get up and going … so even a decision to distro the root of one player or another isn’t so important.

The playing field is more or less level. What’s perhaps more controversial is this claim: client certs deliver more bang-for-buck in real security benefits than any other use of certs.

Which means that our idea of using client certs every where (CATS.cacert.org originally, but now webmail, archives, and this very blog!) is also a good strategic direction. We can deliver!

Therefore, Apache tutorials like this one by Dan are much more important. Download it today! Put it into practice on your website! Not to mention, that client certs delivers lots of administration benefits in easing our management of sites, as I muse on over at my blog. Have you noticed how there are no complaints about lost passwords over at CATS.cacert.org? No more comment spam on this blog [1]?

What I would like to see is a list of systems where CAcert certs are now in definite use. Production. Benefits! This would include CATS in pole position, also the blog, the webmail, the mail archives. Also possibly that OpenID server (is that run by Assurers? I assume so… I’m not even sure where it is).

[1] OK, it seems that only a very few long suffering admins could even see it. So you probably can’t see it, … and can’t imagine the joy of not having to deal with it ever again I checked last night, there is a tiny bit of trackback spam, which I can’t quite see how to deal with, but nobody cares about trackback these days…

Commentary, rants, not warnings of Downtime! Dave Birch runs a blog called Digital Identity to promote his consulting company (CHYP or Consult-Hyperion) which specialises in Money and Identity systems. His recent post on British experiences with Identity things is of interest to people here. Here’s a quick summary:

• A French ID card can be used to get you a job at Sainsbury’s, but not to buy alcohol.
• Banks can tell whether local passports are real, but foreign passports are just accepted. Because they can’t tell, they don’t.
• Remember the Irish Police force’s search for their most wanted speedster: Mr Prawo Jazdy. Once they translated the term into “driving licence” in Polish … all became clear.
• A car owner was arrested because his new form was a slightly different colour. The registration people thought it was a forgery and called the police…
• You can call the UK Border hotline to confirm a national ID card. They will tell you “to ask [your] customer for a ’second proof of identity’.”
• It’s a smart card, and the smart way to check it is “to flick the card and listen for a distinctive sound, if they doubt the card’s authenticity.”
• More here on how it is easier to get a bank account if you are a criminal or a foreigner than a poor unidentified person.

That’s all good fun! We know where all this is going … indeed, one of the strengths of the CAcert Assurance Process is just this. Working with the documents might be called a competence of CAcert, if we were into management-speak.

Read the whole article for the fuller picture; it’s fun. One thing I will disagree with Dave on is his recommendation that there be a digital solution that either works or it doesn’t. Although I frequently remind people that, in a well designed security system, “There is only one mode, and it is secure,” I think actually it is a hopeless goal to expect the British government to field such a system. They will create a pink elephant.

Far better for new identity systems to emerge from the marketplace. As suggested by Dave, this is likely to be the mobile phone. We are around 80% of the way there; and with things like Android, the other 20% is now on the marketplace. Soon enough…