CAcert Inc, the association within the Community, held an SGM or special general meeting on Saturday 21:00 UTC. Which makes it evening in Europe, afternoon in the Americas, and tomorrow morning in Australia.

Between 38 and 42 members were present. 4 business items were duly filed (21 days in advance) and were dealt with in the meeting.

#1, that pending applications for joining the association be accepted was passed with no vote, because all applications had already been dealt with.

#2 is a comprehensive rule change that (among other things) asked to do this:

• made the status of Assurer the only requirement for membership of the Association,
• increased the size of the board to 10,
• rewrote and fixed up lots of other bugs in the rules.

It was voted and achieved 24 AYES against 14 Nayes. As this is a rule change, it required 75% and therefore failed. But, a good showing.

Item #3 was the controversial one. The first resolution said we association members were “disenheartened at the breakdown of working relationship.” It passed with 35 AYES to 5 Nayes. The second resolution said “the committee no longer enjoys the confidence, of the members, and [they] are removed.” It was duly voted and passed with 20 AYEs to 16 Nayes. With that resolution the board was relieved and opened for the next item.

The final business of the day was to elect a new board of 7 seats for an interim period of 4 months, until the next AGM. This was conducted on a person-by-person basis, and the 7 top-voted candidates were chosen:

Name	Position
Nick Bebout	President
Mark Lipscombe	Vice-President
Ernestine Schwob	Secretary
Philipp Dunkel	Treasurer
Guillaume Romagny	Ordinary Member
Andreas Buerki	Ordinary Member
Ian Grigg	Ordinary Member

This is the new committee of the association, or board. Please note:

• the committee will adjust the positions somewhat, and
• this committee is interim only, in place for 4 months. At the AGM, traditionally in November, they will stand down and face re-election.

Postscript: By means of m20090728.1 the committee agreed that Ernestine Schwob is now Treasurer and that Philipp Dunkel is now Secretary. No other changes are envisaged.

The latest of the audit reports, for Jan-April, is now on the wiki. Much has happened since the last report, here are the headlines:

1. CAcert has a new Security Policy in DRAFT which covers the systems administrators, the Access Engineers, and also the Support and Software people.
2. With this in place, Audit will now visit the systems team in Ede, Netherlands in early May. This will be the first visit to review the systems against that Security Policy. My guess is that we will need 3 visits.
3. A new Software Development team met in Innsbruck last week to review the software and prepare the way forward. Their recommendation: total rewrite. The design was done during the week, and is documented. Next steps are to .. write the code! This is where we find out if coding is really as easy as talking 🙂 if you want to participate, and who wouldn’t want to be in the team that totally changes the face of CAcert … then keep an eye on the cacert-devel list.
4. Assurance Policy is now full POLICY.
5. Audit is now in high gear checking Assurances. See all the other blog posts.
6. On 16th May, in Munich, we will meet up with the heavy-hitting German Assurance team of Sebastian, Ulrich and Ted. There, we’ll talk about the results from the audit checks, and think about a roadmap for the future.

Big picture: Audit is in high gear. Much will be done, much will be checked. Now this might be “optimistic” but bear in mind that the resources are very limited. If there are any missteps, if there are any big delays, then CAcert is in trouble. We simply don’t have the time and money to delay this into the future.

So, watch out for appeals for help, and consider jumping into effort. You will be unhappy if you miss that chance, you will have nothing to tell your grandchildren after the war is over 🙂

As mentioned by Maurice, I presented this at LISA2008:

An Open Audit of an Open Certification Authority

How does a lightweight community Certification Authority (“CA”) engage in the heavyweight world of PKI and secure browsing? This talk tracks the systems audit of CAcert, an open-membership CA, as a case study in auditing versus the open Internet, community versus professionalism, quality versus enthusiasm. It will walk through the background of “what, why, wherefore an audit,” look at how CAcert found itself at this point, and then walk through some big ticket items: risks/liabilities/obligations; assurance and what’s in a name; disputes and reliance; and systems and security.

Can CAcert deliver on its goal of free certs? The audit is into its 3rd year as of this writing; and remains incomplete. Some parts are going well, and other parts are not; by the end of the year 2008, we should be able to check all of the important areas, or rethink the process completely. Hence, finally, the talk will close with progress and status, and recommendations for the future.

There are slides and a very long paper on my paper’s page.  As this was a talk invited by LISA, and as the job of audit is to look for the bad things, not the good things, this talk is quite brutal in parts. Not for the squeamish.

The CAcert critical services are now running on machines in the Netherlands.  This involved shutting down the machines in Vienna, transporting the data to Netherlands, handing over to a new team, and bringing the data up in the new location.

Names and places of the running systems will be mentioned elsewhere no doubt, but our thanks go to two groups in Vienna:  Funkfeuer and Sonance.  These two community groups provided the help when it was needed, and now they stand down from operational support to CAcert, retaining only a mention in the history (and, of course, many future Assurances).

To look at the audit context:  Although I was there, this move was not an audited, officially monitored operation;  this is because (a) the audit was frozen back in December of 2006, partly because of the difficult systems issues, (b) we still lack the full documentation set against which to audit, (c) the new team are focussed on getting basic control, and are not ready for dual control.  Also, always remember to view the auditor presence under the Heisenbergian lens of skepticism! It is your job to check the move and make it safe.  The auditor makes sure you are doing the job, so that we can all rely on the job being done each and every time.

Once we get a declaration that things are under control, the team expands its vision from the brutal short-term needs, and starts on its impressive task list, we will look at getting the audit formally restarted.

Still, that all said, the big job has been done, and done well.  The systems are now in place in the BIT high security ISP, and the new team is doing the work-through.  That will take place over the next few weeks.  At some stage, the new team will then be looking to carve up the work and bring in new people.  This latter expansion will be handled carefully, but it is necessary.  Think about that…

You can help in two ways.  One, take load of the systems people by helping in support, software and a myriad of other tasks.  Two, getting the CPS into DRAFT by answering the two blocking challenges.  Over to you!