PING e.V. Sommerfest, 7.8.2010, Dortmund

Leave a reply

Die Profis des größten gemeinnützigen Internetvereins helfen und beraten bei Fragen zu den Themen Internet und Sicherheit.

Der PING e.V. lädt am 07. August 2010 ab 14:00 Uhr zum “Sommerfest” ein.
Besucher haben an diesem Tag die Möglichkeit, hinter die Kulissen unseres Vereins zu schauen und die Aktiven Mitglieder kennenzulernen.

Abgerundet wird das ganze mit mehreren Kurzvorträgen. Die Vorträge dauern jeweils ca. 15 – 20 Minuten und sind sowohl für Einsteiger als auch versierte Interessierte geeignet.
Im Anschluss an einen Vortrag besteht die Möglichkeit in einer lockeren Diskussionsrunde Fragen zu klären oder die eigene Erfahrung einzubringen. Weiter geht es nach einer kleinen Pause mit dem nächsten Vortrag. Selbstverständlich stehen dann die Referenten und die ehrenamtlichen Helfer des Vereins für Fragen und Diskussionen gerne zur Verfügung.

Des Weiteren werden ein PGP Keysigning und CAcert Assurance angeboten.

Geplante Themen der Vorträge:

OpenStreetMap
Wireless-Lan Sicherheit
Bildbearbeitung mit freier Software
Menschliche und digitale Spuren im Internet
Voice-over-IP
Einblick in Ubuntu Linux

Weitere Informationen, Anfahrtdetails und last minute updates gibt es auf der Event-Seite

One Milestone in Software-Assessment-Project reached

Leave a reply

Within the last week we’ve reached one milestone in our new Software-Assessment-Project.
The team is working since November 2009 on a new Software Repository and a new Testserver.
The Testserver needed a Testserver Mgmt System to set the environment for testing new Software and Patches for the Webdb system.
Continue reading →

New Password Recovery w/ Assurance Procedure

Leave a reply

To All Assurers,

A new Password Recovery w/ Assurance procedure has been established thru Arbitration case a20100407.1.
The procedure is outlined under https://wiki.cacert.org/Support/PasswordRecoverywithAssurance
Continue reading →

SP to DRAFT — marks the milestone in Policy!

Leave a reply

This weekend, the Security Policy goes into DRAFT. We’ve battled and we’ve won: consensus has erupted in policy group. Not only do we get our Security Policy, but SP going to DRAFT marks a major milestone for CAcert:

We now have a complete set of policies for audit !

We’ve been close before, but never the cigar. In early 2009, some audit work was done, but with gaps: the CPS and the “index” were missing. The CPS came into DRAFT in June 2009, it was close enough at the time. The “index” is called the Configuration-Control Specification (CCS), which is a rather clumsy name for such a simple thing. CCS is a list to all the assets that have to be audited, so it’s worth a little attention. The structure more or less looks like this:

Audit => Criteria (we call them DRC) => CCS (the index)

Then, with CCS in hand, the Auditor can find the parts needed:

                     --> Policies
                   /
       CCS ==----> critical systems
                   \
                     --> roles in control, etc

CCS was the missing link. Luckily the index CCS is relatively easy to write, if all the other policies and systems are clear, and this also means it was doomed to always be last, once the other policies were clear. A month back policy group pushed it through, we brought the CCS finally into its place as a (DRAFT) binding policy.

Which should have been the completion of our policy set for audit, but as CCS was finishing, the Board of CAcert Inc decided to veto the Security Policy, as they can under the rules (PoP 4.6). Now, much has been written about this drama in the maillists, and the debate did raise some serious questions at the time, but they can be left for another day. This week, then we in policy group are taking Security Policy back to DRAFT. Has anything changed? Here are the major points of change:

The part about the Board Members having a background check has been removed. This was reasonable, as, on the whole, the ABC process is too clumsy for the Board, and the Board now has its own requirements to deal with conflicts of interest, courtesy of the new Associations Act 2009.
Application Engineer is removed, and that capability is returned to the Systems Adminstration team leader. T/L can bring in a Software Assessor any time he needs one, and take on that risk, etc.
One non-difference is that SP was still binding on the critical roles, because they accept the SP as their binding document when they are appointed. This is part of the process, as documented in Security Manual. The reason for this is that, under the principles of data protection, anyone who can access the data needs a special agreement, and in CAcert, the SP is that agreement.
Meanwhile, SP goes back to being binding on the Community. Why would the Community need to be bound to Security Policy, when they can’t do anything wrong anyway? Well, because there are always errors, holes, bugs, omissions and short cuts. In any process! So, while we should fix these omissions, it helps to have the big stick of policy to wield as well. Just because you find a software bug doesn’t mean you can exploit it, and just because you have a title like “auditor” doesn’t mean you can stare at the private root key. We all have wider obligations, and SP is one of them.

Other than tighter wording, etc, that’s it. Welcome to our complete Policy set!

Which final comment brings us to the success of CAcert’s Policy project. It was 5 calendar years in the making, starting off with Christian’s original CPS, and it cost many Member-Years of effort. Some examples: The SP was probably a Member-Year of effort. The CPS is likely equal, the agreements and foundations (CCA, DRP, PoP, etc) another huge lump. I said CCS was an easy one to write, but “easy” still runs to around a Member-Month of effort. PoJAM, similar.

If we think how much a commercial company pays for a Member-Year of effort (100k, plus or minus), that’s a serious investment.

Thank your policy group, and help out with reading and voting!

35 decisions, 13 policies to DRAFT and beyond, 55 contributors. Here’s the top ten, a Hall of Fame, collected a wiki-scraping script I wrote last night:

Name	#	Decisions
Tomáš	10	p20100510,p20100426,p20100401,p20100119,p20100113,p20091108,p20091106,p20090706,p20090327,p20081016
Faramir	10	p20100510,p20100426,p20100401,p20100326,p20100120,p20100119,p20100113,p20091106,p20090706,p20090327
Lambert	10	p20100426,p20100401,p20100326,p20100113,p20091108,p20091106,p20090706,p20090327,p20090105.1,p20081016
Philipp D	9	p20100510,p20100426,p20100401,p20100113,p20091106,p20090706,p20090327,p20090105.1,p20081016
Pieter	8	p20100510,p20100426,p20100401,p20100306,p20100120,p20100113,p20091106,p20090327
Iang	8	p20100510,p20100426,p20100306,p20100120,p20100119,p20100113,p20091106,p20090706
Ulrich	7	p20100510,p20100426,p20100401,p20100326,p20100306,p20100120,p20100119
Ted	7	p20100510,p20100120,p20100119,p20100113,p20091106,p20090706,p20081016
Brian	7	p20100510,p20100426,p20100401,p20100119,p20091108,p20091106,p20090706
Morten	6	p20100510,p20100426,p20100306,p20100120,p20100119,p20100113

(That’s not a formal result, and it only counts voters from the last 2 years, many others did other things that are harder to measure.)

We now have a set of policies that not only deals with the criteria of the Audit (DRC), not only removes that critical path blockage of documentation for audit, but also presents the only honest, fair, presentable and sustainable policy set in the entire business. In my humble opinion.

This is a set of documents everyone can be proud of. On this foundation we can build. We can, for our Members, create business of real value, not just issue certificates that defy valuation to people who don’t understand their need.

Now, on to implementation and audit. Questions about the audit are questions about implementation, so don’t forget:

Do not ask when your audit is done, rather, ask how you, yourself, are doing your audit!

And now, you’ve got the full policy set, so you know what the Auditor is going to be looking for 😉

scheduled systems downtime – 15th June

Leave a reply

Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

Community 2010 March Update

1 Reply

2010-03-30 New Roots task force offers SHA2 based roots/end user certificates for testing
2010-03-30 Software-Assessment Project telco 2010-03-30
- GIT as the future Software Assessment repository passed test successful
- Testserver needs Testserver Management System, action plans triggered to start a deployment
2010-03-27 Walter Güldenberg appointed as Events Team Leader
2010-03-26 Sysadmin team works out way forward for SNI, client certificate authentication and SSL renegotiation changes in browsers
2010-03-26 Security Policy – Board vetos Security Policy Draft regarding point 9.1.4.2. Coverage – Board sighting conflicts with CAcert incorporated rules
2010-03-25 Ongoing update of CAcert Officers list
2010-03-24 First ATE in 2010 season: ATE-Sydney with 6 co-Audited Assurances and addtl. 14 interested Attendees
- Discussions through email and irc about how to seed CAcert deserts. Plans for contacting Usergroups (existing IT related social networks)
- mostly, area has many old SuperAssurers that will have faded away
2010-03-21 Board Meeting 2010-03-21 “Determine Root escrow and recovery mechanism” review ends with no consensus
2010-03-18 Rasika Dayarathna, our Privacy Officer, resigned due to lack of time. Looking forward to rejoining us later.
2010-03-14 Boards Projects Overview Page started deployment
- with this page, Board and also Community can get a better overview over the running and upcoming projects regarding Audit
- currently active areas/projects:
  - 1.1 Software Assessment
  - 2.1 New Root
  - 7.1 Policy Group
  - 8.1 Assurance (co-Audit)
  - 9.2 ATE’s (planning)
2010-03-13 Board Members allowed to serve on arbitration team again
2010-03-06 Daniel Black gets appointed as Infrastructure Team Leader
2010-03-06 Efficiency gain – Policy Officer empowered to perform minor adjustments to policy
2010-03-06 CeBIT 2010 Big Assurance Event successful passed after 5 days with a team of about 8 to 12 and more Assurers. CAcert was one of the 15 projects on the booth at the Open Source Project Lounge sponsored by Linux New Media.
2010-03-03 Co-Audited Assurances Program finalized and starts at CeBIT 2010

Contributions to this Community Update by: Ian, Daniel, Uli

What’s this ATE thing then???

5 Replies

You have probably seen messages flying around about the ATEs, or Assurer Training Events, and you’re probably wondering whether it applies to you. The answer is:

YES, most definately, if you are an Assurer.

This is your event, to update and to participate. More than that, it feeds into audit. This connection may be a little non-obvious, so this post is about explaining it to those wavering on their path to an ATE near them as to why you should help.

Recall that CAcert has today 3460 (and growing) Assurers around the world, and that they provide the critical information feeding into the certificates for the entire community.

That line — from Community Member to verification of information to the certificate — is of key interest to the Auditor. The certificate part is well-understood but what is less well understood is the verification part. How does the Auditor verify the actions of 3460 people spread across dozens of countries? Are they doing the job? Looking after Members? Mostly harmless or causing risks to rise?

Assurers mostly harmless? Verifying the Assurers across the planet is a challenge we must conquer, because our audit criteria says “A.2.y The CP details how the CA verifies that [Assurers] operate in accord with the CA’s policies.” Indeed, the auditor for a big famous-name CA simply declined to audit their web of trust, and the CA found it in its heart to drop the entire thing.

But it can be done. As auditor, I visited around 8 countries in 2009 for a tiny budget of €1500 and verified personally around 80 Assurers. The German community did a similar thing across Germany, and together these results gave us a good showing. It was still marginal; we need better and broader coverage. We need scaleability and we needed process, but we had our start.

From the 2009 experiment, the Assurance Team has designed a comprehensive programme to meet the audit criteria A.2.y, and the ATE is the leading part of that. At the Assurer Training Event, you the Assurer are brought up to date with changes (dramatic), informed on essential checks (of course) and then we individually record that process (carefully and slowly). All this is then collated and prepared for an end-of-season report.

The 2010 season is now underway. If you want to help CAcert’s audit process and improve on the results below, you should look out for an ATE near you. Who wouldn’t want to be involved??? Better yet, ask at events@c.o for how to run one.

ATE-Sydney

Leave a reply

ATE-Sydney is programmed! Masa has made available a lecture theatre at Sydney University’s IT school for an ATE on evening of 24th March, 6:00pm. More details on the wiki.

I will attend ATE-Sydney!

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in NSW coming soon, or mail me with suggestions.

Two Weeks to go! CAcert at OpenExpo 2010 Bern – Switzerland – March 24.-25. 2010

Leave a reply

OpenExpo, the Swiss leading conference and trade show for Free and Open Source Software, will take place for the 8th time Wednesday and Thursday, March 24. and 25. 2010 at the BEA expo in Bern. CAcert is proud to be present among many other Open Source Projects as part of the Open Source Community.

In the conference program at KMU day, there will be the presentation – SSL-Zertifikate in der betriebsinternen Kommunikation der ETH Zürich (in German language) – about the application of CAcert certificates. As the first university in Switzerland, ETH is deploying CAcert certificates.

Additional Swiss CAcert assurers or CAcert assurers from any country with successfully passed assurer test and willing to help, register in the CAcert.org Wiki. The entrance and the conferences are free of charge, simply order and print your free ticket.

———————————————————————————————————————————————————————————————————————————————–

OpenExpo, die Schweizer Messe und Tagung für Freie und Open Source Software findet zum achten Mal statt, am Mittwoch und Donnerstag, 24. und 25.März 2010 in der BEA expo in Bern. CAcert.org ist stolz darauf, mit vielen anderen Open Source Projekten an diesem Anlass teilnehmen zu dürfen und Teil der Open Source Community zu sein.

Im Konferenzprogramm wird am KMU-Tag der Einsatz von SSL-Zertifikate in der betriebsinternen Kommunikation der ETH Zürich anhand von CAcert Zertifikaten präsentiert. Die ETH setzt als erste Universität in der Schweiz CAcert Zertifikate ein.

Zusätzliche Schweizer CAcert.org Assurer oder CAcert.org Assurer aus irgend einem Land mit erfolgreich absolviertem Assurer Test, welche mithelfen wollen, tragen sich bitte im CAcert.org Wiki ein. Der Messeeintritt und das Konferenzprogramm sind für jederman kostenlos, einfach Gratis-Tickets bestellen und ausdrucken.

ate-OZ

Leave a reply

I’m in the vicinity of Canberra – Sydney for next 2 months, and looking to do ATEs. If you have some sort of venue or facility, and there are Assurers in your area, let me know.

Additions: Sydney is rolling…

iang @ the normal address, for the Assurance Team.