The June Audit report to the Community, the latest in a series of two-monthly reports, is now on the wiki.  Here are some highlights.

The biggest issue facing CAcert is the state of the systems and the systems administration team. The Audit requirement is for the systems to be under a secure regime that is suitable for a certificate authority:  dual control, extra eyes over the critical systems, and reasonable physical security.  These things have not been done for the critical systems, and only partly done for the non-critical systems such as email, wiki.

The recent plan to have Evaldo lead the process has been dropped (not in my opinion due to any failing on his part).  Now the board of CAcert has to work up a new plan to make this happen somehow.

The move of the critical systems and the rebuilding of systems administration into a team has taken on the aspect of a never-ending Nordic saga, which is no good sign.  I will give it until the end of the year to see if CAcert can build the team, and put the systems into shape.  If not, we as a Community will have to re-examine how we are going to move forward without systems that are adequate to the certificate authority mission.

Other highlights:

• The CAcert Community Agreement is in place as policy, now, but the roll-out of other important issues such as CAP form (here), agreement on the website, and emailed notifications of change are all lacking.  Lack of developers is an issue, and is probably the same story as with the systems administrators team.
• Arbitration is working out well, and we are now in the “teething stage” of working through the little and unexpected problems.
• The Assurance Policy work-in-progress is now in a call to go to DRAFT, which will make it binding on the community.  This important document lays the framework for Assurance, leaving most of the details for the Handbook.  There are a couple of fairly minor changes that Assurers will need to be aware of:
  • Assurance points now only cover Assurance on your details, and there is now (to be) a new count for Experience Points.  Assurance Points will therefore always indicate only of how others have assured you, and Experience points will indicate how many Assurances you have done.
  • Mutual Assurance is now a standard option, and the CAP form will be upgraded to show that.  In effect, a non-Assurer can now assure an Assurer, but, this assurance happens under the supervision and responsibility of the Assurer.  For this, a non-Assurer can allocate 0,1,2 points according to her judgement, and you should teach her to be skeptical!
• As soon as we can make it, the older Assurers who have not done the Assurer Challenge will be blocked from more Assurances.

The Audit is a long way behind schedule.  As above, the systems are completely stalled.  The policy work is also slow, and although not a blocking action, it should be stressed:  we need these policies in place, not perfect, but usable.  Seek for consensus, and be prepared to lose some battles.  By the end of the year, we should have the Assurance process on a good strong basis.

Date of Birth information is needed for operational purposes and could not be dropped.

CAcert takes strong measures to maintain and guard your private information. Currently CAcert uses for individuals the full formal name, date of birth (DoB) and email/domain address(es). The DoB is used for discrimination of similar names of individuals.

A long debate on the CAcert policy email list (email:cacert-policy@cacert.org) discussed the issue if date of birth could be dropped from the archive. Alternatives for purpose of name discrimination were explored and debated upon. But it did not result in an accepted and efficient alternative.

CAcert made the decision to comply fully with the European privacy directive (EU DPA). The DoB information is however felt to be archived and needed for operational measurements at Assurance time (Web-of-Trust) and later. Alternatives, which are hopefully better in the name resolution, will continue to be investigated and solutions are challenged for.

It is noticed that the date of birth information is commonly used in the internet environment (and even more private information is made available) and that this data is poorly managed. Even some (European) governments are providing this information openly in some instances. The data of birth (and even email addresses) are only available to CAcert Assurers and only in times of assurance requests and arbitration cases if needed so. There are binding policies for the Assurers for doing so, subjected to arbitration.

CAcert will destroy archived copies of ID’s and asks their Assurers to do so as well.

When CAcert started in 2002 it was required that copies of ID’s were archived for 7-10 years in the archives of CAcert or archives of CAcert Assurers. In a later instance CAcert required to take note of ID numbers and/or social security numbers of the individual instead of the copy of the ID.  In 2006 for privacy reasons this data (copy of ID, personal numbers) was dropped. The CAcert Assurance Programme (CAP) form states however that the information should be kept 7-10 years.

As CAcert Inc. dropped the requirements for copies of ID and personal numbers the CAcert Inc. association by order of the Committee (Board) decided to remove this information from the CAcert archives and require that the CAcert Assurers who are in possession of that information to do the same: destroy archived copies of ID’s and delete social security numbers from the CAP forms. The information should be deleted with care as stated in the CAP agreement.

As you may know, CAcert started a big effort in 2007 to address who we are as members of a CA service provision, the Community and the increase of the recognition of CAcert as a professional CA.
CAcert belongs now to the top ten CA’s in the world! This all was inspired and demanded by the need to have CAcert Root Key included in the browsers. For this CAcert started the Audit process, which focused on the questions of Risks, Liabilities, and Obligations amongst us all.

CAcert has now conquered that monumental task. Core of that task was defining who we are as a community, and writing a CAcert Community Agreement that we can all agree to, which brings us together as that community, and which protects you, using the CAcert issued certificates, legally, financially and freely.

Here you can read the details of the CAcert Community Agreement .

Introductory notes on the agreement are on the wiki. This introduction attempts to explain some of the parts, which need maybe some more explanation, eg on free certificates, privacy concernings, certificate care and usage risks, and the CAcert Community.

The Agreement is now approved: by the Board, by the Policy Group, and by the Association, and it is now ready for you!

CAcert software developers will modify the website and the Assurance team will modify the Assurance processes to ask people to agree to it.This will take some time.
In the end we will need agreement from everyone inside the CAcert Community, because it protects each and every one of you, and all of us together, as a community.

CAcert Management Sub-Committee

CAcert announces the resignation of Greg Rose from the Board of CAcert Inc., as of 1st March 2008.

On resigning for job-related reasons, Greg said “It’s been interesting to say the least, and I feel happy to have made new friends and renewed old ones. Thanks for the opportunity and the honor to have worked with you all.“.

When the existing board resigned in March 2007, Greg stepped in to help, having been a long serving Assurer.
Greg Rose served as President during the critical period of 2007 and helped to build a new board, management team, steered the new board through this difficult phase to recover control of assets, and chairing a week-long meeting in Germany with our key people present.

This crucial period saw the approval of the new CAcert Community Agreement for all members of the Community and many other innovations thanks to an excellent cooperation from within the CAcert Community and Association Members:
the Assurer Challenge, in-house dispute resolution, Organisation Assurance, the re-invigoration of the business side of the CAcert, initiation of a funded audit project and formal procedures for creating and approving policies (eg.  Assurance policy and reformed point system, code signing, open sourcing of software, openness of the organisation, etc.).

Teus Hagen takes up the position of President, assisted by Evaldo Gardenali, Robert Cruikshank and Guillaume Romagny.

The CAcert association (CAcert Inc.) will have its Annual Meeting on Saturday 17th of November. More details: http://wiki.cacert.org/wiki/NextAnnualGeneralMeeting . You need to be a full association member in order to be able to vote.

What is on the Agenda?: board elections (five Committee members), CAcert Community Agreement (new!), CAcert Root cert usage License and Disclaimer (new!), Policy document organisation (new!), Arbitration (new!), Open Governance, membership register update.

Note also the minutes of meeting from so called CAcert TOP meeting in September 2007: http://wiki.cacert.org/wiki/TopMinutes-20070917 and current activities: security and quality enhancements to CAcert servers and services, quality improvements for CAcert assurances, Organisation Assurance initiates, CAcert community and organisations (officers and distributed responsibilites), privacy directives and openess actions (open sourcing, open governance), etc.

See the discussions on the policy and membership email lists.

teus

CAcert have seen enormous changes within the structure of CAcert during the last 3 or 4 month. This changes reflect a new, professional approach of CAcert which will allow us to grow way beyond the level we have been so far. Therefore Advisory proposed to the board to have a multiday meeting to adress all those issues. The new structure of CAcert consisting of Board, Advisory, Officers and Community needs to learn a better communication and a better cross area working. The Board has many issues on its route, like approving the backlog of important suggestions and preparing AGM, just to name a view. Advisory has to drive many issues as well, especially getting audit on track, creating policies, dealing with Super Assurers, Organisational Assurance, etc. The officers need to define their teams, their tasks, communication lines, reporting, etc.

So this meeting will be in Pirmasens, Southwest Germany in a nice meeting location in the week of 17th to 21th September 2007. More on this as soon as we know.