Category Archives: Progress

Software-Assessment-Project reached next milestone

Leave a reply

Todays systemlog message marks the quantum leap in our about 10 months project work, to become the Software-Assessment area auditable.

As many Software-Updates are in the queue from the software developers, that needs testing and reviews by Software Assessors, the team started by end of last year with this project,

  • to build up a new ”controlled” testserver with authority by Software-Assessors
  • built up by the critical team as a Disaster Recovery testcase
  • a new central repository for all the upcoming software projects (including the New Software project BirdShack)
  • building a new test team running the software tests
  • and finalyze the process by a review of the patches by 2 Software-Assessors
  • document the patches, the testing, the review and the check by two Software-Assessors
  • to bundle the new Software-revision for transfer to the Critical team

The systemlog message signals, that the first tested and reviewed patches has received by the critical system webdb and is incorporated into production. A new tarball has been generated to build the next basis for applying the next patches.

So here my thanks goes to all the involved teams,

  • Software-Assessment-Project team
  • the new Software Testteam
  • the Critical Sysadmins team
  • and last but not least to the Software-Assessors from the Software-Assessment team

With all these people assistance, this project hadn’t be pushed to this milestone. Thank you Andreas, to build the project plan and the technical background, and also hosting the current testserver, Thank you Wytze for all your work to build the new testserver from scratch as identical as possible to the production server, to Michael, who assist us in deploying the new git repository and also assistance in deploying the Testserver-Mgmt-System, so everybody can start testing w/o the need of console access, Thank you Markus, for all your time and effort to deploy the repository and testserver environment and also your work together with Philipp as Software-Assessor, to finalyze the Software-Update-Cycle. Thank you Dirk for all your suggestions to move on with this project.

Some more work is todo:

  • adding a test-signer, so also cert related patches can be tested in the future (Andreas and Markus are working on this)
  • deploying a C(ontinous)I(ntegration) system for automated testing (Andreas is working on this).

Now the teams have to walk thru the list of open bugs, that needs to be pushed thru … First of all is the “Thawte” bug … to signal all users who’ve got their Thawte points transfered by the old Tverify program if they are effected by the points removal or if they are safe. The CCA-Rollout with a couple of patches, a list of new Policies and Subpolicies related patches (eg. PoJAM, TTP program), a list of Arbitration pushed patches, and so on …

So guys, lets have a party tonight, we’ve wiped out one of the biggest audit blockers!

The Big Masterplan to become Audit Ready

Leave a reply

Back in January 2010 the former Board decided by Board motion m20100117.3 “No new subroots on current root, plan for new root”. In the discussion a date was scheduled by end of Dec 31, 2010. On my 2nd thought, probably nobody did recognize, what that means, CAcert's Big Masterplan To become Audit Ready (01/2010) to finish all the projects from the bottom left corner at beginning of 2010 to the top right corner by end of the year with the “New Roots and Escrow” (New Roots and Escrow) process running. So this article should bring Audits mistery to light.

Policy Group worked on the last few essential Policies (Policies on Policy Group), that are essential for the Audit. One essential requirement for Audit is to Rollout the CAcert Community Agreement to all the members, so they can decide to continue or to leave the Community. To become “CCA Rollout Ready” (CCA rollout), the running Software needs to be updated. This opens the next problem: by starting 2010, there was no Software Update Process defined, nor documented. But we’re on the lucky side, the Software-Assessment-Project started November last year to fulfill this requirement (Software-Assessment-Project). The task was: To get a repository system controlled by Software-Assessment team, a controlled testserver environment and a documentation system. Currently the team tests the transfer of a test patch to the production system. Involved parties: Software-Assessment Project team, Software-Assessment team and the Critical Sysadmins team.

CAcert's Big Masterplan To become Audit Ready (10/2010)
CAcert’s Big Masterplan To become Audit Ready (10/2010)

In the meantime, another issue pop’d up: the “Thawte points removal” with a deadline of Nov 16th, 2010. We’ve allready posted several blog posts on this topic. So also this is related onto the Software-Assessment-Project progress (Software-Assessment-Project).

The next topic is running Assurer Training Events (ATE) (Assurer Training Events). ATE’s are an essential concept in the Audit over Assurance (RA) business area. To scale a worldwide community, the community has to assist Auditors work in doing Co-Audits over Assurers. The question: How to contact groups of Assurers was answered back in 2009 with the ATE concept. The purpose of ATE is twofolded: first to communicate to the Assurers all the new informations and second to do Co-Audits. As Assurers follows the invitations to the ATEs we can expect, that they are more active in the community. So also from 2009 ATE experiences, we’ve got new resources from the community by contacts on ATEs (Get new resources). So this was the plan for 2010 ATE season, to find more people, who can help on the several tasks and projects that needs to be finished, before the new Roots and Escrow project and also the Audit can be (re-)started. E.g.

Helping CAcert

  • we are searching Infrastructure Admins for the Non-Critical Infrastructure systems, all running on Unix. Familiar with system migrations for the big Infrastructure project to separate Non-Critical from the Critical systems (The big Infrastructure Task). This project is running about 2 years, but currently without progress.
  • we are searching for Software Developers (C++, Python, Java) for the New Software project BirdShack (New Software Project BirdShack), that was started last year, after Auditors review of the Software that concludes: „Serious difficulties in maintaining, improving and securing.” and „Cannot form conclusion over software.”, so if the plan to start with the Audit over the old Software fails, we’re close to the 2nd path: BirdShack.
  • we are searching for Audit consultants who can assists in the Audit next step CrowdIt disclosure system (read AGM – Audit Report 2010 – CrowdIt. CrowdIt, as a sort of wordplay on Crowd-Audit). CrowdIt is an emerging disclosure tool (based on the old DRC browser).
  • we are searching people, who can assist us in the funding project (Funding project), that becomes the ground base for the New Roots and Escrow project (New Roots and Escrow) that should be keep tracked by an Auditor, and the re-start of the Audit (Audit over Assurance (RA) 1) and (Audit over Systems (CA) 2).

The New Roots and Escrow Project Relation to Audit

As said before, the New Roots and Escrow Project should be keep tracked by an Auditor. From the experiences back in 2008 on creating New Roots but fail on Roots Escrow, we’re warned to separate the Audit steps of the New Roots and Escrow Project (New Roots and Escrow) and the Audit over Systems (Audit over Systems (CA) 2). Both tasks should be close together.

On the other side, we have to do an Audit over Assurance (Registration Authority, RA) (Audit over Assurance (RA) 1). There is no requirement on bundling the RA Audit and CA Audit as both business areas have their own Policy sets and can be checked separately. This can make our work presumably easier. Easier to get Audit funding for Audit over RA. As Assurance area is closer to be Audit Ready, we can also signal to the Community Audit is back on track. This will probably push the other tasks. With a small budget we probably can double the result by getting new resources, “Hey, there is progress on the overall Audit task” – CAcert is back!

New TTP-Assisted-Assurance to Draft – one more milestone in Policy!

Leave a reply

TTP-Assisted-Assurance to DRAFTThis weekend, the Security Policy goes into DRAFT. Consensus has erupted in policy group once again.

The practicle work now can start, to write down all the documentation for the practice documents. Clean out the wiki with all the informations of the old TTP program and start spreading the new TTP-Assisted-Assurance to the CAcert deserts after the old program was frozen.

Who volunteers now to becoming the first TTP-admins ? As policy defines
Senior-Assurers to be the TTP-admins and the first new TTP requests will come soon probably
we have to deploy the policy now into practice. Thats again a Community Task. We need at least 3 TTP-Admins as following graphic displays:

             TTP ----:--> TTP-Admin (1) --> 35 points max
                 /       :         \
   Assuree =  -  -  :-  >      =----> TTP-Admin (3)  --> 35 points max (Topup)
                 \       :         /
             TTP ----:--> TTP-Admin (2) --> 35 points max
                         :........ CAcert internal ................................................

TTP-Admins should become familiar with the TTP’s available in a country of the TTP requestor so the program gets a strong path of reliance. One idea is to work close together with Organisation Assuers, who are familiar with the regulations in a country but its not limited to. These are only thoughts.

One Milestone in Software-Assessment-Project reached

Leave a reply

Within the last week we’ve reached one milestone in our new Software-Assessment-Project.
The team is working since November 2009 on a new Software Repository and a new Testserver.
The Testserver needed a Testserver Mgmt System to set the environment for testing new Software and Patches for the Webdb system.
Continue reading

SP to DRAFT — marks the milestone in Policy!

Leave a reply

This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

  1. The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
  2. Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
  3. One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
  4. Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

Name # Decisions
Tomáš 10 p20100510,p20100426,p20100401,p20100119,p20100113,p20091108,p20091106,p20090706,p20090327,p20081016
Faramir 10 p20100510,p20100426,p20100401,p20100326,p20100120,p20100119,p20100113,p20091106,p20090706,p20090327
Lambert 10 p20100426,p20100401,p20100326,p20100113,p20091108,p20091106,p20090706,p20090327,p20090105.1,p20081016
Philipp D 9 p20100510,p20100426,p20100401,p20100113,p20091106,p20090706,p20090327,p20090105.1,p20081016
Pieter 8 p20100510,p20100426,p20100401,p20100306,p20100120,p20100113,p20091106,p20090327
Iang 8 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113,p20091106,p20090706
Ulrich 7 p20100510,p20100426,p20100401,p20100326,p20100306,p20100120,p20100119
Ted 7 p20100510,p20100120,p20100119,p20100113,p20091106,p20090706,p20081016
Brian 7 p20100510,p20100426,p20100401,p20100119,p20091108,p20091106,p20090706
Morten 6 p20100510,p20100426,p20100306,p20100120,p20100119,p20100113

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for 😉

Community 2010 March Update

1 Reply
  • 2010-03-30 New Roots task force offers SHA2 based roots/end user certificates for testing
  • 2010-03-30 Software-Assessment Project telco 2010-03-30
    • GIT as the future Software Assessment repository passed test successful
    • Testserver needs Testserver Management System, action plans triggered to start a deployment
  • 2010-03-27 Walter Güldenberg appointed as Events Team Leader
  • 2010-03-26 Sysadmin team works out way forward for SNI, client certificate authentication and SSL renegotiation changes in browsers
  • 2010-03-26 Security Policy – Board vetos Security Policy Draft regarding point 9.1.4.2. Coverage – Board sighting conflicts with CAcert incorporated rules
  • 2010-03-25 Ongoing update of CAcert Officers list
  • 2010-03-24 First ATE in 2010 season: ATE-Sydney with 6 co-Audited Assurances and addtl. 14 interested Attendees
    • Discussions through email and irc about how to seed CAcert deserts. Plans for contacting Usergroups (existing IT related social networks)
    • mostly, area has many old SuperAssurers that will have faded away
  • 2010-03-21 Board Meeting 2010-03-21 “Determine Root escrow and recovery mechanism” review ends with no consensus
  • 2010-03-18 Rasika Dayarathna, our Privacy Officer, resigned due to lack of time. Looking forward to rejoining us later.
  • 2010-03-14 Boards Projects Overview Page started deployment
    • with this page, Board and also Community can get a better overview over the running and upcoming projects regarding Audit
    • currently active areas/projects:
  • 2010-03-13 Board Members allowed to serve on arbitration team again
  • 2010-03-06 Daniel Black gets appointed as Infrastructure Team Leader
  • 2010-03-06 Efficiency gain – Policy Officer empowered to perform minor adjustments to policy
  • 2010-03-06 CeBIT 2010 Big Assurance Event successful passed after 5 days with a team of about 8 to 12 and more Assurers. CAcert was one of the 15 projects on the booth at the Open Source Project Lounge sponsored by Linux New Media.
  • 2010-03-03 Co-Audited Assurances Program finalized and starts at CeBIT 2010

Contributions to this Community Update by: Ian, Daniel, Uli

Thawte Points Transfer and Removal of Points at Nov 16th 2010

Leave a reply

CAcert 2010The November 2009 blog post Last chance: End of thawte points transfer on 16th november 2009 was the starting point for the moving of Thawte Notarys to CAcert … but this is half of the story. November 16th 2010 ends the verification period of transfered points. So the 150 points transfer will be lost. To prevent the loss of Assurance and Experience Points all members using this program needs to search for assurers to get fully assured and starting also assurances to get the needed experience points. Until now, the addtl. Assurances doesn’t count, but added to the account until the Points Count process will be changed before Nov 16th 2010, so the last assurance points counts.

This will become a big shift in this year until November 2010. Current work is to prepare the building of the Software Assessment Team and the Repository project to make Software updates possible. This project is a not so well noticed project still running in the background. But if someone reads the Software MiniTOP Updates from Dec 2009 and February 2010, those can reads the progress that is made in this area. This is also a requirement for the CCA Rollout plan that needs to be started around mid of this year to succeed before Audit can continue.

If you have further questions regarding the Thawte transfer points removal, please go to the public CAcert Support mailing list.