Category Archives: News

News Relating to CAcert

SP to DRAFT — marks the milestone in Policy!

This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

  1. The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
  2. Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
  3. One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
  4. Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

Name # Decisions
Tomáš 10 p20100510,p20100426,p20100401,p20100119,p20100113,p20091108,p20091106,p20090706,p20090327,p20081016
Faramir 10 p20100510,p20100426,p20100401,p20100326,p20100120,p20100119,p20100113,p20091106,p20090706,p20090327
Lambert 10 p20100426,p20100401,p20100326,p20100113,p20091108,p20091106,p20090706,p20090327,p20090105.1,p20081016
Philipp D 9 p20100510,p20100426,p20100401,p20100113,p20091106,p20090706,p20090327,p20090105.1,p20081016
Pieter 8 p20100510,p20100426,p20100401,p20100306,p20100120,p20100113,p20091106,p20090327
Iang 8 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113,p20091106,p20090706
Ulrich 7 p20100510,p20100426,p20100401,p20100326,p20100306,p20100120,p20100119
Ted 7 p20100510,p20100120,p20100119,p20100113,p20091106,p20090706,p20081016
Brian 7 p20100510,p20100426,p20100401,p20100119,p20091108,p20091106,p20090706
Morten 6 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for 😉

scheduled systems downtime – 15th June

Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

Community 2010 March Update

  • 2010-03-30 New Roots task force offers SHA2 based roots/end user certificates for testing
  • 2010-03-30 Software-Assessment Project telco 2010-03-30
    • GIT as the future Software Assessment repository passed test successful
    • Testserver needs Testserver Management System, action plans triggered to start a deployment
  • 2010-03-27 Walter Güldenberg appointed as Events Team Leader
  • 2010-03-26 Sysadmin team works out way forward for SNI, client certificate authentication and SSL renegotiation changes in browsers
  • 2010-03-26 Security Policy – Board vetos Security Policy Draft regarding point 9.1.4.2. Coverage – Board sighting conflicts with CAcert incorporated rules
  • 2010-03-25 Ongoing update of CAcert Officers list
  • 2010-03-24 First ATE in 2010 season: ATE-Sydney with 6 co-Audited Assurances and addtl. 14 interested Attendees
    • Discussions through email and irc about how to seed CAcert deserts. Plans for contacting Usergroups (existing IT related social networks)
    • mostly, area has many old SuperAssurers that will have faded away
  • 2010-03-21 Board Meeting 2010-03-21 “Determine Root escrow and recovery mechanism” review ends with no consensus
  • 2010-03-18 Rasika Dayarathna, our Privacy Officer, resigned due to lack of time. Looking forward to rejoining us later.
  • 2010-03-14 Boards Projects Overview Page started deployment
    • with this page, Board and also Community can get a better overview over the running and upcoming projects regarding Audit
    • currently active areas/projects:
  • 2010-03-13 Board Members allowed to serve on arbitration team again
  • 2010-03-06 Daniel Black gets appointed as Infrastructure Team Leader
  • 2010-03-06 Efficiency gain – Policy Officer empowered to perform minor adjustments to policy
  • 2010-03-06 CeBIT 2010 Big Assurance Event successful passed after 5 days with a team of about 8 to 12 and more Assurers. CAcert was one of the 15 projects on the booth at the Open Source Project Lounge sponsored by Linux New Media.
  • 2010-03-03 Co-Audited Assurances Program finalized and starts at CeBIT 2010

Contributions to this Community Update by: Ian, Daniel, Uli

Community 2010 February Update

  • 20100221 Markus Warg appointed to Software Assessment.
    * He is now the 2nd team member in a new team that will be formed under the “Repository Project” by Andreas Bäß
    * Also involved in this project is the Critical sysadmins team for building up the Servers and software for becoming testing and staging servers.
    * Also to train the system recovery from scratch
    * Also to prepare a proposed system upgrade
    * These are the first results from the Software MiniTOP Essen Dec 16th 2009
  • 20100221 UlrichSchroeter appointed as Assurance Officer
    * Board accepts Sebastian’s resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! Board appoints Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy.
  • 20100221 Michael Tänzer appointed as Support Officer
    * Board appointed Michael as support team leader and accepts Ian Grigg’s resignation as support team leader.
    * (Formally, as Support Officer within Security Policy.)
  • 20100213 Software MiniTOP Offenbach Feb 13th 2010
    * Current State of ”Repository Project”
  • 20100206 Assurance MiniTOP Brussels Feb 6th 2010 – on the Agenda were several topics
    * Assurance – Tasks for coming weeks.

    • Plan for Events.
    • Submit review to board.
    • new AO and EO to board.
    • prepare CeBIT.
    • finish Co-auditing Programme for 2010, in time for CeBIT.

    * CeBIT
    * Roles
    * Support
    * ABC interviews
    * Recruitment
    * Co-Audit
    * Defining the Co-Auditor
    * co-Audit Team
    * co-Audit preparation

  • 20100201 p20100119 PoJAM to DRAFT resolved.
    * https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html
    * Now the Subpolicy is binding to Assurers for assuring minors and als minors to be Assurers.
    * This is the first policy in a series of subpolicys under AP, that cames back after all special assurance programs becomes frozen.

Further Community Update News you will find in the Wiki Community Update

CAcert AGM, New Board and Annual Report


On 2010-01-30 CAcert held its Annual General Meeting. Minutes will be published soon on the wiki.

A new board was elected and positions were assigned during 2010-02-02 board meeting. We are happy to announce the new CAcert board formed by

  • Lambert Hofstra (President)
  • Daniel Black (Vice President)
  • Ernestine Schwob (Treasurer)
  • Mark Lipscombe (Secretary and continuing as Public Officer)
  • Nick Bebout (Member)
  • Mario Lipinski (Member)
  • Ian Grigg (Member)

During the AGM CAcert’s annual report (PDF) was presented and accepted by the membership. It shows many things happened at CAcert during the last year and is worth reading to get an impression of CAcert’s progress during the last time.

A big thank you to all people volunteering and helping to achieve this successful result. CAcert is dependent on many volunteers and is looking forward for your help to achieve such a good result for the coming year.

CAcert at FOSDEM 2010

Fosdem 2010CAcert will be present at Fosdem 2010, the Free and Open Source Software Developers’ European Meeting, February Sat 6th and Sun 7th 2010

As our CrossCommunity guest on our booth we are welcome A. Stormont with the projects Nexanta and StormOS

CU at Fosdem ….

CAcert at OpenSourceDays-2010 Copenhagen, DK – March 5th + 6th

CAcert will be present at OpenSourceDays-2010 Copenhagen, DK, March 5th and 6th with a booth and a Keysigningparty.
DIKU Copenhagen, DK
Open Source Days is the largest open source conference in the Nordic area. It’s your opportunity to meet, share, and learn from professional open source experts.
Continue reading