Author Archives: iang

About iang

Contrarianism rocks! Security for the members. Help yourselves, coz no-one else will. Must be time for a cup of tea.

Special General Meeting 20090725

CAcert Inc, the association within the Community, held an SGM or special general meeting on Saturday 21:00 UTC. Which makes it evening in Europe, afternoon in the Americas, and tomorrow morning in Australia.

Between 38 and 42 members were present. 4 business items were duly filed (21 days in advance) and were dealt with in the meeting.

#1, that pending applications for joining the association be accepted was passed with no vote, because all applications had already been dealt with.

#2 is a comprehensive rule change that (among other things) asked to do this:

  • made the status of Assurer the only requirement for membership of the Association,
  • increased the size of the board to 10,
  • rewrote and fixed up lots of other bugs in the rules.

It was voted and achieved 24 AYES against 14 Nayes. As this is a rule change, it required 75% and therefore failed. But, a good showing.

Item #3 was the controversial one. The first resolution said we association members were “disenheartened at the breakdown of working relationship.” It passed with 35 AYES to 5 Nayes. The second resolution said “the committee no longer enjoys the confidence, of the members, and [they] are removed.” It was duly voted and passed with 20 AYEs to 16 Nayes. With that resolution the board was relieved and opened for the next item.

The final business of the day was to elect a new board of 7 seats for an interim period of 4 months, until the next AGM. This was conducted on a person-by-person basis, and the 7 top-voted candidates were chosen:

Name Position
Nick Bebout President
Mark Lipscombe Vice-President
Ernestine Schwob Secretary
Philipp Dunkel Treasurer
Guillaume Romagny Ordinary Member
Andreas Buerki Ordinary Member
Ian Grigg Ordinary Member

This is the new committee of the association, or board. Please note:

  • the committee will adjust the positions somewhat, and
  • this committee is interim only, in place for 4 months. At the AGM, traditionally in November, they will stand down and face re-election.

Postscript: By means of m20090728.1 the committee agreed that Ernestine Schwob is now Treasurer and that Philipp Dunkel is now Secretary. No other changes are envisaged.

Audit Report 20090426

The latest of the audit reports, for Jan-April, is now on the wiki. Much has happened since the last report, here are the headlines:

  1. CAcert has a new Security Policy in DRAFT which covers the systems administrators, the Access Engineers, and also the Support and Software people.
  2. With this in place, Audit will now visit the systems team in Ede, Netherlands in early May. This will be the first visit to review the systems against that Security Policy. My guess is that we will need 3 visits.
  3. A new Software Development team met in Innsbruck last week to review the software and prepare the way forward. Their recommendation: total rewrite. The design was done during the week, and is documented. Next steps are to .. write the code! This is where we find out if coding is really as easy as talking 🙂 if you want to participate, and who wouldn’t want to be in the team that totally changes the face of CAcert … then keep an eye on the cacert-devel list.
  4. Assurance Policy is now full POLICY.
  5. Audit is now in high gear checking Assurances. See all the other blog posts.
  6. On 16th May, in Munich, we will meet up with the heavy-hitting German Assurance team of Sebastian, Ulrich and Ted. There, we’ll talk about the results from the audit checks, and think about a roadmap for the future.

Big picture: Audit is in high gear. Much will be done, much will be checked. Now this might be “optimistic” but bear in mind that the resources are very limited. If there are any missteps, if there are any big delays, then CAcert is in trouble. We simply don’t have the time and money to delay this into the future.

So, watch out for appeals for help, and consider jumping into effort. You will be unhappy if you miss that chance, you will have nothing to tell your grandchildren after the war is over 🙂

Paris :-)

Paris in the Spring time, so we must do an ATE — Assurer Training Events — in Paris as well.

  • location: Starbuck in “Chatelet Les Halles” but note: because of overcrowding/noise, we may move to the Cafe next door, to right. Look for us!
  • date: Saturday 02 May
  • time: 17:00 to 20:00 (may change)
  • event organisers: Guillaume (06 60 75 45 54) and Frédéric

Fuller details on the wiki at ATE-Paris. Contact iang@c.o or events@c.o if you can help.  Mail Guillaume@c.o or phone 06 60 75 45 54 if you would like some local tips.

London! Spring! Assurer Training! The Red Lion

Yes, it’s happening:  Assurer Training Events comes to London:

  • location: The Red Lion pub (meeting room downstairs)
  • date & time: 12 May, 17:30 to 19:30
  • local arrangements:  Graeme Burnett of Enhyper

Fuller details on the wiki at ATE-London.  Contact iang@c.o or events@c.o if you know your English pubs..

Budapest is on the CAcert map!

ATE09 will travel from Prague to Budapest … open call for All Assurers in Budapest, please contact events at c.o or iang at c.o.
Basic Specifications are:

  1. location: third floor, room 3.607, Eötvös Lóránd University, Pázmány Péter Sétány 1/C
  2. date & time: 30th Thursday, 18:00 to 20:00 (note it has been put back an hour!)
  3. local arrangements: Dani Nagy

Fuller details on the wiki page for ATE-Budapest. Contact us if you can help!

ATE09 travels to Prague!

ATE09 travels to Prague!  we are now looking for All Assurers in the area.
Basic Specifications are:

  1. location: meeting room at Pylonware corporation.  Note:  Be there early because it takes a while to find the meeting room.
  2. date & time: 28th Tuesday, (probably 17:00 –> 19:00)
  3. local arrangements: Tomáš Trnka

Fuller details on the wiki page for ATE-Prague. Contact us if you can help!  (And then onto Budapest.)

Innsbruck Assurer’s event

Sometime in the week 20th to 24th April (2 short weeks away) several of the CAcert people will be in Innsbruck, Austria for a software auditing camp.
We are planning to break away from software auditing and having an event along the lines of the ATE09 series … and we are now looking for All Assurers in the Inssbruck area!

Basic Specifications are:

  1. location: TWI
  2. date & time:  20th Monday, 17:00 –> 19:00
  3. local arrangements: Martin Hotze

Fuller details on the wiki page for ATE-Innsbruck.

Assurance Event + Disk Destruction = Vienna 28th Feb

There will be a combined Assurance Event and Disk Retirement Processing (a.k.a. Destruction) in Vienna, Austria, 28th February.

Likely agenda will be:

  1. Presentation of “New Assurance”
  2. Workshop for New Assurers:
  3. Lots of Assurances
  4. Ceremony for the Destruction of the Vienna Disks,
    • as directed by the Board of CAcert.
    • Bring your heavy tools.

Garnisongasse 7.  19:00 to 21:00.  Mark your calendars, diaries, agendas, foreheads!

invited talk at LISA2008

As mentioned by Maurice, I presented this at LISA2008:

An Open Audit of an Open Certification Authority

How does a lightweight community Certification Authority (“CA”) engage in the heavyweight world of PKI and secure browsing? This talk tracks the systems audit of CAcert, an open-membership CA, as a case study in auditing versus the open Internet, community versus professionalism, quality versus enthusiasm. It will walk through the background of “what, why, wherefore an audit,” look at how CAcert found itself at this point, and then walk through some big ticket items: risks/liabilities/obligations; assurance and what’s in a name; disputes and reliance; and systems and security.

Can CAcert deliver on its goal of free certs? The audit is into its 3rd year as of this writing; and remains incomplete. Some parts are going well, and other parts are not; by the end of the year 2008, we should be able to check all of the important areas, or rethink the process completely. Hence, finally, the talk will close with progress and status, and recommendations for the future.

There are slides and a very long paper on my paper’s page.  As this was a talk invited by LISA, and as the job of audit is to look for the bad things, not the good things, this talk is quite brutal in parts. Not for the squeamish.

Servers Moved (comments from audit)

The CAcert critical services are now running on machines in the Netherlands.  This involved shutting down the machines in Vienna, transporting the data to Netherlands, handing over to a new team, and bringing the data up in the new location.

Names and places of the running systems will be mentioned elsewhere no doubt, but our thanks go to two groups in Vienna:  Funkfeuer and Sonance.  These two community groups provided the help when it was needed, and now they stand down from operational support to CAcert, retaining only a mention in the history (and, of course, many future Assurances).

BIT colo cam 4 ... not sure this is the right oneTo look at the audit context:  Although I was there, this move was not an audited, officially monitored operation;  this is because (a) the audit was frozen back in December of 2006, partly because of the difficult systems issues, (b) we still lack the full documentation set against which to audit, (c) the new team are focussed on getting basic control, and are not ready for dual control.  Also, always remember to view the auditor presence under the Heisenbergian lens of skepticism! It is your job to check the move and make it safe.  The auditor makes sure you are doing the job, so that we can all rely on the job being done each and every time.

Once we get a declaration that things are under control, the team expands its vision from the brutal short-term needs, and starts on its impressive task list, we will look at getting the audit formally restarted.

Still, that all said, the big job has been done, and done well.  The systems are now in place in the BIT high security ISP, and the new team is doing the work-through.  That will take place over the next few weeks.  At some stage, the new team will then be looking to carve up the work and bring in new people.  This latter expansion will be handled carefully, but it is necessary.  Think about that…

You can help in two ways.  One, take load of the systems people by helping in support, software and a myriad of other tasks.  Two, getting the CPS into DRAFT by answering the two blocking challenges.  Over to you!