Tag Archives: Co-Audit

ATE-Wiesbaden, 22. Mai 2014

Am Donnerstag, 22. Mai 2014 findet in den Räumen des CCCMZ e.V. in Wiesbaden das nächste ATE in der Region Rhein-Main statt.

  • Was hast du auf dem CAP Formular hinzuzufügen, wenn du Minderjährige überprüfst ?
  • Warum solltest du dir die 3 Buchstaben: R/L/O einprägen ?
  • Wie verhälst du dich, wenn du ein fremdes Ausweis Dokument zum ersten mal prüfst ?

Continue reading

CAcert appoints internal auditor

[German version below]

CAcert gets down to business to the next step for reopening the audit process and has appointed Benedikt Heintel as internal auditor in last december. The goal is the acceptance of CAcert as trustworthy certificate authority. Benedikt Heintel cares for the compliance of internal process flows with the rules and thereby for the reliability and trustworthiness of the CA overall. With the beginning of this year Benedikt Heintel has started with the first checks within the scope of the internal audit.
Quite a while ago CAcert has appointed co-auditors who check the quality of CAcerts’ web-of-trust with which identities of persons are verified. With this check co-auditors do the preliminary work for the internal auditor. These to different subject areas are the basis of CAcert and its secure certificates.

CAcert-PM-Internal-Auditor-en

[German version]

CAcert macht Ernst mit dem nächsten Schritt zur Wiederaufnahme des Audit-Verfahrens und hat im vergangenen Dezember Benedikt Heintel als internen Auditor ernannt. Ziel ist die Anerkennung von CAcert als vertrauenswürdige Zertifizierungsstelle. Benedikt Heintel kümmert sich um die Einhaltung sauberer Prozessabläufe bei CAcert und damit um die Vertrauenswürdigkeit der Arbeit der CA insgesamt. Anfang des Jahres hat er mit den ersten Überprüfungen im Rahmen des internen Audits begonnen.
Vor geraumer Zeit hatte CAcert bereits Co-Auditoren ernannt, die das CAcert-Web-of-Trust prüfen, mit dem die Identität von Personen sichergestellt wird und dem internen Auditor auf diese Weise zuarbeiten. Diese zwei unterschiedlichen Themen machen zusammen erst CAcert und seine sicheren Zertifikate aus.

CAcert-PM-Interner-Auditor-de

ATE-Leipzig, 10. April 2012

Am Dienstag, 10. April 2012 (Dienstag nach Ostern) findet in der Uni Leipzig das nächste ATE statt.

  • Was hast du auf dem CAP Formular hinzuzufügen, wenn du Minderjährige überprüfst ?
  • Warum solltest du dir die 3 Buchstaben: R/L/O einprägen ?
  • Wie verhälst du dich, wenn du ein fremdes Ausweis Dokument zum erste mal prüfst ?

Continue reading

ATE Manchester / Crewe, UK – Sat 14th January

Much has happened during recent years. The old way of orally-transmitted procedures has now gone, and our rules have been cast into formal policies. New procedures (e.g. the Assurer Challenge) and obligations (e.g. in the CAcert Community Agreement) have been approved.
Continue reading

The Big Masterplan to become Audit Ready

Back in January 2010 the former Board decided by Board motion m20100117.3 “No new subroots on current root, plan for new root”. In the discussion a date was scheduled by end of Dec 31, 2010. On my 2nd thought, probably nobody did recognize, what that means, CAcert's Big Masterplan To become Audit Ready (01/2010) to finish all the projects from the bottom left corner at beginning of 2010 to the top right corner by end of the year with the “New Roots and Escrow” (New Roots and Escrow) process running. So this article should bring Audits mistery to light.

Policy Group worked on the last few essential Policies (Policies on Policy Group), that are essential for the Audit. One essential requirement for Audit is to Rollout the CAcert Community Agreement to all the members, so they can decide to continue or to leave the Community. To become “CCA Rollout Ready” (CCA rollout), the running Software needs to be updated. This opens the next problem: by starting 2010, there was no Software Update Process defined, nor documented. But we’re on the lucky side, the Software-Assessment-Project started November last year to fulfill this requirement (Software-Assessment-Project). The task was: To get a repository system controlled by Software-Assessment team, a controlled testserver environment and a documentation system. Currently the team tests the transfer of a test patch to the production system. Involved parties: Software-Assessment Project team, Software-Assessment team and the Critical Sysadmins team.

CAcert's Big Masterplan To become Audit Ready (10/2010)
CAcert’s Big Masterplan To become Audit Ready (10/2010)

In the meantime, another issue pop’d up: the “Thawte points removal” with a deadline of Nov 16th, 2010. We’ve allready posted several blog posts on this topic. So also this is related onto the Software-Assessment-Project progress (Software-Assessment-Project).

The next topic is running Assurer Training Events (ATE) (Assurer Training Events). ATE’s are an essential concept in the Audit over Assurance (RA) business area. To scale a worldwide community, the community has to assist Auditors work in doing Co-Audits over Assurers. The question: How to contact groups of Assurers was answered back in 2009 with the ATE concept. The purpose of ATE is twofolded: first to communicate to the Assurers all the new informations and second to do Co-Audits. As Assurers follows the invitations to the ATEs we can expect, that they are more active in the community. So also from 2009 ATE experiences, we’ve got new resources from the community by contacts on ATEs (Get new resources). So this was the plan for 2010 ATE season, to find more people, who can help on the several tasks and projects that needs to be finished, before the new Roots and Escrow project and also the Audit can be (re-)started. E.g.

Helping CAcert

  • we are searching Infrastructure Admins for the Non-Critical Infrastructure systems, all running on Unix. Familiar with system migrations for the big Infrastructure project to separate Non-Critical from the Critical systems (The big Infrastructure Task). This project is running about 2 years, but currently without progress.
  • we are searching for Software Developers (C++, Python, Java) for the New Software project BirdShack (New Software Project BirdShack), that was started last year, after Auditors review of the Software that concludes: „Serious difficulties in maintaining, improving and securing.” and „Cannot form conclusion over software.”, so if the plan to start with the Audit over the old Software fails, we’re close to the 2nd path: BirdShack.
  • we are searching for Audit consultants who can assists in the Audit next step CrowdIt disclosure system (read AGM – Audit Report 2010 – CrowdIt. CrowdIt, as a sort of wordplay on Crowd-Audit). CrowdIt is an emerging disclosure tool (based on the old DRC browser).
  • we are searching people, who can assist us in the funding project (Funding project), that becomes the ground base for the New Roots and Escrow project (New Roots and Escrow) that should be keep tracked by an Auditor, and the re-start of the Audit (Audit over Assurance (RA) 1) and (Audit over Systems (CA) 2).

The New Roots and Escrow Project Relation to Audit

As said before, the New Roots and Escrow Project should be keep tracked by an Auditor. From the experiences back in 2008 on creating New Roots but fail on Roots Escrow, we’re warned to separate the Audit steps of the New Roots and Escrow Project (New Roots and Escrow) and the Audit over Systems (Audit over Systems (CA) 2). Both tasks should be close together.

On the other side, we have to do an Audit over Assurance (Registration Authority, RA) (Audit over Assurance (RA) 1). There is no requirement on bundling the RA Audit and CA Audit as both business areas have their own Policy sets and can be checked separately. This can make our work presumably easier. Easier to get Audit funding for Audit over RA. As Assurance area is closer to be Audit Ready, we can also signal to the Community Audit is back on track. This will probably push the other tasks. With a small budget we probably can double the result by getting new resources, “Hey, there is progress on the overall Audit task” – CAcert is back!

Community 2010 February Update

  • 20100221 Markus Warg appointed to Software Assessment.
    * He is now the 2nd team member in a new team that will be formed under the “Repository Project” by Andreas Bäß
    * Also involved in this project is the Critical sysadmins team for building up the Servers and software for becoming testing and staging servers.
    * Also to train the system recovery from scratch
    * Also to prepare a proposed system upgrade
    * These are the first results from the Software MiniTOP Essen Dec 16th 2009
  • 20100221 UlrichSchroeter appointed as Assurance Officer
    * Board accepts Sebastian’s resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! Board appoints Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy.
  • 20100221 Michael Tänzer appointed as Support Officer
    * Board appointed Michael as support team leader and accepts Ian Grigg’s resignation as support team leader.
    * (Formally, as Support Officer within Security Policy.)
  • 20100213 Software MiniTOP Offenbach Feb 13th 2010
    * Current State of ”Repository Project”
  • 20100206 Assurance MiniTOP Brussels Feb 6th 2010 – on the Agenda were several topics
    * Assurance – Tasks for coming weeks.

    • Plan for Events.
    • Submit review to board.
    • new AO and EO to board.
    • prepare CeBIT.
    • finish Co-auditing Programme for 2010, in time for CeBIT.

    * CeBIT
    * Roles
    * Support
    * ABC interviews
    * Recruitment
    * Co-Audit
    * Defining the Co-Auditor
    * co-Audit Team
    * co-Audit preparation

  • 20100201 p20100119 PoJAM to DRAFT resolved.
    * https://svn.cacert.org/CAcert/Policies/PolicyOnJuniorAssurersMembers.html
    * Now the Subpolicy is binding to Assurers for assuring minors and als minors to be Assurers.
    * This is the first policy in a series of subpolicys under AP, that cames back after all special assurance programs becomes frozen.

Further Community Update News you will find in the Wiki Community Update