Es hat sich viel getan im letzten Jahr. Eine ganze Reihe von bisher eher “muendlich ueberlieferten” Regeln wurden in Policies gegossen. Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B. in dem CAcert Community Agreement) wurden beschlossen. Die Assurer Training Events wollen versuchen, die ganzen Informationen “unter’s Volk” zu bringen:

- Wovor schuetzt die CCA jedes CAcert-Community-Mitglied und somit auch dich?
- Kannst du die 5 Statements der “Purpose of Assurance” aufzaehlen?
- Kannst du auf Anhieb 10 Sicherheitsmerkmale des deutschen
Personalausweises aufzaehlen?

Antworten auf diese und weitere Fragen erhaelst du bei den Assurer Training Events (ATEs).

Die kommenden Veranstaltungen finden statt am: Montag den 04. Oktber 2010 in den Seminarräumen (Madrid + Lissabon) der Jugendherberge Aachen statt.

Anreise

PKW
Aus Deutschland kommend:
Aus Richtung Köln A4 / E40 bzw. aus Richtung Mönchengladbach A44 bis Kreuz Aachen.
Weiter auf der A 44 Richtung Lüttich (Liège).
Abfahrt Aachen Lichtenbusch (Letzte Abfahrt vor der Grenze nach Belgien)
Rechts Richtung Zentrum, dann nach Ortseingang an der ersten großen Ampel-Kreuzung links in die Siegelallee abbiegen (Hier steht ein Schild mit der Aufschrift: „Euregionales Jugendgästehaus Aachen“)
Nach der Eisenbahnbrücke rechts in die Maria-Theresia-Allee

Aus Belgien kommend:
Aus Richtung Lüttich (Liège) A3 / E40 Bis Abfahrt Eynatten
Rechts Richtung Aachen Süd
An der erste Großen Ampelkreuzung nach der Grenze zu Deutschland: links in den Luxemburger Ring abbiegen
Nach der Eisenbahnbrücke rechts in die Maria-Theresia-Allee

Ausgewiesene öffentliche PKW-Parkflächen stehen auf der Maria Theresia Allee kostenfrei zur Verfügung.

Bahn und Bus
Start Hauptbahnhof [Haltestelle 2 gegenüber dem Haupteingang des HBF] Linie 3B Richtung „Uniklinik“
alternativ kann die Linie 1 und 46 an der gleichen Haltestelle benutzt werden
Haltestelle Misereor dort Straßenseite wechseln
Haltestelle Misereor [Karmeliterstraße] Linie 2 Richtung „Aachen, Preuswald“
Haltestelle Reumontstraße
Haltestelle Schillerstraße
Haltestelle Goethestraße
Haltestelle Kaiser-Friedrich-Park
Haltestelle Yorckstraße
Haltestelle Brüsseler Ring
Ziel Ronheide (Jugendherberge) Ausstieg

Abfahrtzeiten:
Hauptbahnhof: xx:04, xx:21, xx:34, xx:51
Misereor: xx:14, xx:29, xx:44, xx:59
Fahrzeit:
14 bis 16 Minuten
Fahrpreis:
€ 2,35 einfache Fahrt (günstiger bei 4er-Karte)

Anmeldung

Ich möchte am Event in Aachen teilnehmen!

siehe auch WiKi

Nebenbei, am 02 und 03. Oktober findet der diesjährige Oktober ac-treff in den gleichen Räumlichkeiten statt, vielleicht hat der eine oder andere von euch Lust auch dort dabei zu sein. Mehr dazu findet ihr hier.

Wir sehen uns in Aachen ?!

Ehemalige Thawte Notarys sollten die Gelegenheit nutzen, sich noch einmal Assuren zu lassen, bzw. selbst Assurances durchzuführen, da sonst zur Deadline am 16. November Punkte verfallen können. (siehe auch Blog Post vom 3.8. Thawte Points Transfer and Removal of Points at Nov 16th 2010)

Ebenso sucht CAcert Helfer im Projekt. Zur Zeit suchen wir dringend Personen die im Support mithelfen und Systemadministratoren für die Nicht-Kritischen Systeme (Wiki, Blog, Email, IRC, usw.).

Für Assurer Training Events (ATE’s) suchen wir Personen, die die Vorbereitung und Planung in ihrer Stadt übernehmen können. Da die ATE’s die Basis für die co-Audited Assurances bilden und das wiederum die Basis für das Audit über die Registration Authority (RA) ist, kommt diesem Thema derzeit die höchste Priorität zu (siehe auch Board Motion vom 1.8.2010 m20100801.3).

Sprecht uns am Samstag oder Sonntag zu den Themen “Thawte Points Removal”, “Helfer Gesucht” bzw. “ATE’s” auf dem Stand an.

Wann? - Wo? - Preise?

• Wann?
  21.08.2010 - 22.08.2010
• Wo?
  Hochschule Bonn-Rhein-Sieg
  Grantham-Allee 20
  53757 Sankt Augustin
  OpenStreet Map
  Google Maps
• Was kosten Tickets?
  Tickets kosten für beide Tage insgesamt 5 Euro.

Links:

• Free and Open Source Software Conference 2010
• CAcert in der Ausstellerliste
• FrOSCon 2010 im CAcert Wiki

• 2010-07-20 Daniel resigns from Board, Infrastructure Team Lead, Systems Admin (various)
• 2010-07-17 PracticeOnNames updated with the NL country variation Arbitration ruling of a20090618.12. The ruling was written February this year, but had not been pushed out yet to the community. This presents a more relaxed rule: "Abbreviations on givennames are allowed under some circumstances" regarding Dutch givennames.
• 2010-07-16 Faster Support Actions on requests by Assurers and Users on Name Change cases, DoB changes after events
  • In February this year, there was an interesting Arbitration case that relates to all assurers and members with name change and DoB problem requests. This Arbitration case a20100210.2 takes precedence if requested within 24 hours an error was made, or upto 7 days after a big event. As thus should allow to decrease the disputes queue, we need all the help from the community, that such errors are reported within the given timeframe. This is to simplify Support cases and to decrease the delay in Arbitration cases by reducing the cases in the queue. For details please read the Arbitration case a20100210.2 ruling.
• 2010-07-14 One Milestone in Software-Assessment-Project reached
  Within the last week we’ve reached one milestone in our new Software-Assessment-Project. The team is working since November 2009 on a new Software Repository and a new Testserver. The Testserver needed a Testserver Mgmt System to set the environment for testing new Software and Patches for the Webdb system.
  The long blocking factor was the Testserver Mgmt System. That is now installed and functional with basic functions:
  • Increase Assurance Points (to start testing as Assurer)
  • Setting special Flags (to start testing as i.e. Support-Engineer for SE patches)

  The Testserver Mgmt System is buildt with the Zend Framework and is an addtl. instance on the Testserver.

  The next step in deploying the new Software-Assessment Environment is to find the first Testers, who helps deploying the procedure on Documentation of current patches (see Software-Assessment: Current Tests)

  The Software-Assessment-Project is an essential brick in the wall for the Audit as this blocks several Audit steps (Audit over Systems, CCA-Rollout, and others). An overview of the steps to an Audit-restart can be found on the Overview Projects Board Wiki page.

  For further infos about the Software-Assessment-Project read Software-Assessment-Project Page

• 2010-07-10 Voting on Policy Group for p20100710 License root under Root Distribution License opened
• 2010-07-04 Ernestine resigns from Board and Treasurer
• 2010-07-03 Dominik George was appointed by board motion m20100625.1 to become Support-Engineer

Please keep yourself informed by continuously reading the Community Updates in the Wiki.

CACert confesses itself to interoperability with free and open projects. The CACert website is soon to be updated to reflect the new RDL.
A distributable source package can be found here [2]

[1] http://www.cacert.org/policy/RootDistributionLicense.php
[2] http://sspreitzer.fedorapeople.org/ca-cacert/

~sspreitzer

Der PING e.V. lädt am 07. August 2010 ab 14:00 Uhr zum “Sommerfest” ein.
Besucher haben an diesem Tag die Möglichkeit, hinter die Kulissen unseres Vereins zu schauen und die Aktiven Mitglieder kennenzulernen.

Abgerundet wird das ganze mit mehreren Kurzvorträgen. Die Vorträge dauern jeweils ca. 15 - 20 Minuten und sind sowohl für Einsteiger als auch versierte Interessierte geeignet.
Im Anschluss an einen Vortrag besteht die Möglichkeit in einer lockeren Diskussionsrunde Fragen zu klären oder die eigene Erfahrung einzubringen. Weiter geht es nach einer kleinen Pause mit dem nächsten Vortrag. Selbstverständlich stehen dann die Referenten und die ehrenamtlichen Helfer des Vereins für Fragen und Diskussionen gerne zur Verfügung.

Des Weiteren werden ein PGP Keysigning und CAcert Assurance angeboten.

Geplante Themen der Vorträge:

• OpenStreetMap
• Wireless-Lan Sicherheit
• Bildbearbeitung mit freier Software
• Menschliche und digitale Spuren im Internet
• Voice-over-IP
• Einblick in Ubuntu Linux

Weitere Informationen, Anfahrtdetails und last minute updates gibt es auf der Event-Seite

The next step in deploying the new Software-Assessment Environment is to find the first Testers, who helps deploying the procedure on Documentation of current patches (see Software-Assessment: Current Tests)

The Software-Assessment-Project is an essential brick in the wall for the Audit as this blocks several Audit steps (Audit over Systems, CCA-Rollout, and others). An overview of the steps to an Audit-restart can be found on the Overview Projects Board Wiki page.

For further infos about the Software-Assessment-Project read Software-Assessment-Project Page

A new Password Recovery w/ Assurance procedure has been established thru Arbitration case a20100407.1.
The procedure is outlined under https://wiki.cacert.org/Support/PasswordRecoverywithAssurance

All you need to do is (for the user who has lost his Password):

1. Find an Assurer to do an Assurance
2. Create an A-Word (part of a passphrase)
3. The Assurer has to trigger the Password Recovery Procedure by sending a signed Email to Support with the A-Word and the info about the Assuree (Name, Primary Email).

That’s it.

Support than will contact the parties to get further informations.

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

1. The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
2. Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
3. One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
4. Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

Contributions to this Community Update by: Ian, Daniel, Uli