Category Archives: Information

General news/information to the CAcert community or about security in general

CAcert AGM, New Board and Annual Report


On 2010-01-30 CAcert held its Annual General Meeting. Minutes will be published soon on the wiki.

A new board was elected and positions were assigned during 2010-02-02 board meeting. We are happy to announce the new CAcert board formed by

  • Lambert Hofstra (President)
  • Daniel Black (Vice President)
  • Ernestine Schwob (Treasurer)
  • Mark Lipscombe (Secretary and continuing as Public Officer)
  • Nick Bebout (Member)
  • Mario Lipinski (Member)
  • Ian Grigg (Member)

During the AGM CAcert’s annual report (PDF) was presented and accepted by the membership. It shows many things happened at CAcert during the last year and is worth reading to get an impression of CAcert’s progress during the last time.

A big thank you to all people volunteering and helping to achieve this successful result. CAcert is dependent on many volunteers and is looking forward for your help to achieve such a good result for the coming year.

CAcert at FOSDEM 2010

Fosdem 2010CAcert will be present at Fosdem 2010, the Free and Open Source Software Developers’ European Meeting, February Sat 6th and Sun 7th 2010

As our CrossCommunity guest on our booth we are welcome A. Stormont with the projects Nexanta and StormOS

CU at Fosdem ….

CAcert at OpenSourceDays-2010 Copenhagen, DK – March 5th + 6th

CAcert will be present at OpenSourceDays-2010 Copenhagen, DK, March 5th and 6th with a booth and a Keysigningparty.
DIKU Copenhagen, DK
Open Source Days is the largest open source conference in the Nordic area. It’s your opportunity to meet, share, and learn from professional open source experts.
Continue reading

December 2009 Community Update

  • 20091221 Nick Bebout: Resignation as Dispute Resolution Officer (DRO)
  • [Poll for AGM day] (Fr,Sa,Su?) Inc Members, please vote! (finished)
  • 20091220 Board Meeting
    • “process of software review” ends with the motion: m20091220.2, propose 4 people, and to request ABCs
    • Support is proceeding to bring in Triage people. 3 ABCs have been completed. Michael Taenzer, Martin Schultze, Wolfgang Kasulke are now complete, so t/l-support will probably propose them for Support Engineer.
    • Arbitration: “That, given m20090811.1, and today’s informal information that some arbitrators are non-working, board requests an immediate update of the state and health of the Arbitration system from DRO, with a view to changing the roles and re-invigorating the process.”. Motion m20091220.3 carried
    • Update on Finance: No Annual General Meeting schedule yet (Update: Boardmeeting Jan 3th: AGM is at Jan 30th)
    • Minutes 20091216 Essen Software MiniTOP
      • Software, repository: Repository is up and going. Haven’t got the test system, just the developer system. We expect to have everything together by end of January.
      • Birdshack doco
      • Root ceremony: In order to re-do this process, we have to do: planning, collection of the people, budget, hardware, and also to come up with a new concept for protection of the root. This latter is important, and the whole thing will need to be serious and documented for presentation to a new auditor.
    • Hamburg Assurance mini-TOP 20091215 results with three new Special Assurance programs proposals
  • 20091215 Confirmation received for a booth at the CEBIT 2010. CAcert get this sponsored booth from the Linux New Media (Cebit Open Source) (CEBIT Event Organisation)
  • 20091211 Support Team declares reaching a milestone in clearing out the support Inbox. All that’s left is the future!
  • 20091205 Confirmation received for a booth at the FOSDEM 2010 6-7 Feb 2010, Brussels Belgium. (FOSDEM Event Organisation)

Original Wiki Post 2009 December Update

Annual General Meeting

Today the board has passed the motion m20100103.4 to set the date for January 30th 2010 at 21:00 UTC. It is therefore my pleasure as secretary of CAcert Inc. to invite all members of CAcert to attend this Annual General Meeting.

When: Saturday 2010-01-30 21:00 UTC
Where: irc.cacert.org #agm
Who: All CAcert Inc. Members

Please also remember to pay your dues, since according to current rules you may not otherwise vote.

Regards,
Philipp Dunkel
(Secretary)

CAcert at FOSDEM and CEBIT 2010 – Booths confirmed

At Saturday Dec 5th 2009 we received the confirmation for a booth at the FOSDEM 2010 6-7 Feb 2010, Brussels Belgium. (FOSDEM Event Organisation)
FOSDEM 2010

and at Tuesday 15th, 2009 we also received the confirmation for a booth at the CEBIT 2010. CAcert get this sponsored booth from the Linux New Media (Cebit Open Source) (CEBIT Event Organisation)
Linux New Media
CEBIT 2010

Support Activity and Error Rates

In the last few weeks, our one Support Engineer (Werner, working mostly alone) has processed 65 support requests, 40 in the last week. Each case generates 5 mails. At the moment, the SE works with an absence of system, on a clunky silly mailing list, so there is no workflow assistance available to him. He has to remember each of those cases over the days-cycle time, and relate them to all the other emails.

Errors are inevitable. I’ve so far seen and counted 3 errors or blunders. Which means we’re talking around a 5% error rate. That’s to be expected when building a new system, working with fresh people, with minimal historical help, and working through a flood of a backlog with crappy technical support and poor information. Also known as, drowning.

(Obviously, in time, we want to reduce that to around 1-2%. When I did my 5-10 cases a month back, I generated at least one error. I’m not good enough for Support, I’m up in the 10-20% range.)

You can help us by pointing out the errors, directly, and suggesting what it is you would rather have seen. Positive suggestions are always appreciated.

an almost empty Triage mailboxThe Triage team — Wolfgang, Martin, Michael, Joost — have to this point worked through outstanding emails back to July this year. See the attached for a picture of today’s Inbox. *Yes, it’s more or less empty!* They got there last night, and have reached the target I set them, to get back to July.

That means a human has processed every one of approximately one thousand support emails received over the last 5 months. There’s probably dozens of errors in their processing, but that misses the point.

In the next month or so, some or all of the Triage people above will get through their ABCs and become SEs or Support Engineers. At that point Werner will have help. At that point, we’ll be able to improve our systems. And, we’ll need more Triage people!

You can help us by signing up to Triage. Let me know if you fit the profile: Assurer, great with mail / MUA, etc, time to handle lots of little, quick tasks, good with English reading (other languages an advantage), and you grok the community (CCA, DRP and you want to know more about Security Policy but were always afraid to ask…). IRC.

We need people outside the European evening slot…

iang,
interim, temporary, impatient Support t/l,
looking for any excuse to get sacked!

Discontinuation of “Trusted Third Party” assurances

Recently a dispute was filed about some confusion with our “Trusted Third Party” procedure. As part of this arbitration the board was asked for some explanatory words on the discontinuation of the TTP. In order to comply with this request and also shed some light on the issue, I have taken on the task of explaining this.

First off there is a misconception, that the board decided to discontinue the TTP. That is a misconception, because the board does not have the authority to do so. However the TTP was discontinued by the policy-group. The reason for this was simply that there was no policy to describe how the TTP procedure worked. As such the practice was outside the policies and needed to be stopped until a policy has been written defining TTP. The policy group has since made several attempts at writing such a policy, but has not yet come to a conclusion.

So I would invite everyone interested in this area, to please join the policy group, which is open to all community members, and help us write this policy and remedy the situation.

After the policy group had made the decision to discontinue several practices that fell outside the Assurance Policy by moving it to policy status the board felt it necessary, in its role as executive organ of CAcert, to enforce that decision. It did so with a motion ordering the ceasing of all assurances not under the Assurance Policy. This motion caused the systems team to terminate these practices.

However at the time it was missed that there was still a page up on the cacert.org website explaining the availability of the TTP process. This page has since been removed.

So to sum up, the board neither had the power nor did it in fact terminate the TTP, it simply enforced a decision by the policy group. However the communication of these facts was sorely lacking.

So to clear things up, and to comply with the Arbitrator order in Dispute a20091118.1 it should be clearly stated that:

The TTP programme is effectively Frozen until a subsidiary policy under the Assurance Policy is written and moved to DRAFT. Until such a time the TTP programme is against the Assurance Policy rules.

Note: although I am currently serving on the CAcert Inc. Board of Directors, I do not have authority to speak for the board. Therefore this article is written solely on my own behalf.

A small milestone: CPS to the main site

After a recent policy group decision p20091106, Philipp moved the DRAFT CPS onto the policy page on the main website, and also got rid of the old document that was at cacert.org/ policy .php with a redirect.

We started writing the CPS or Certification Practice Statement way back in early 2006. It was the first document to be considered, and the last to get to DRAFT state. This is in part because stuff was thrown out of it into other more appropriate documents: Organisation Assurance Policy, Dispute Resolution Policy, Policy on Policy, Assurance Policy and Security Policy all took their roots from this area, and for a while, we concentrated on those. CPS became the one that couldn’t be finished until the others were stable.

Curiously, there was already a fairly good effort at a CPS in place, written by Christian Barmala. This was a pretty good effort really, and it formed the starting point. There were two problems with the old document, which were that CAcert didn’t own or (totally) control it, and it had never faced audit scrutiny. So the decision was made pretty early on to rewrite it, and looking back, that was the right one.

Today’s move marks the removal of that old document. But our thanks go to Christian for giving us a starting point, to study and build on. Major influences on this new CPS include Philipp Güring, Jens Paul, Philipp Dunkel, Teus Hagen, Daniel Black in time order. And of course, myself, as eternal critic.

If you’re wondering, what next? then hop on over to the policy group and lend a hand. They’ve got a lot to do: CCS, finish the CPS and SP, PoJAM, TTP, Remote/Desert, Tverify, Code-Signing. Recently, the policy group just made it easier to get IDNs (a change that made it into the CPS).

And, if you’re wondering why it took 3.5 long years to get the CPS to where it is, you’re asking the wrong question. To paraphrase a recent post;

“ask not when your policy is written and ready for you,
ask when you are ready to write your policy”