This page APPROVED in m20121121.1
Stuff that needs completion is in Bold XXXXX
Reflecting headings from last year
iang: added Governance Statement, QC&P.
From the Committee of CAcert
Hereby, the Committee of CAcert Inc presents its executive report to the members of Association, and by extension, to the entire Community of CAcert. This report is over the customary period of 1st July 2011 to 30th June 2012.
In addition to that defined period, the Committee presents a Forward Looking Statement that covers 1st July 2012 and beyond. Note also that Team Reports are not so constrained by fixed periods.
Terms
The terms committee and board are used interchangeably. The terms CAcert Inc. and the Association are used interchangeably. The term Member means a member of the Community, under the CCA, where unqualified, and a member of the Association or the committee where qualified.
Governance Statement
CAcert Inc. is incorporated under the Associations Incorporation Act, 2009 of NSW, Australia. The members of the Association are our registered participants in the governance of our wider Community. Total Association membership at 30th June 2011 was 86. As of time of writing, association membership stands at 90. The wider Community outside the association currently numbers some 5,142 Assurers, around 22,000 end-users with some assurance, and over 200,000 accounts with zero assurance.
CAcert Inc. has no employees – we rely fully on a cadre of volunteers to carry out all functions.
CAcert Inc. operates under the rules of the Association, as adopted by the Association members, November 2011. In addition, CAcert Inc also binds itself by means of the CAcert Community Agreement and prior decisions at AGM and Committee to the policies of the community. Under these combined rules, the affairs of CAcert Inc. are managed by the Committee.
The Committee is elected each year at the annual general meeting. The Committee comprises the president, the vice-president, treasurer, secretary and three ordinary members. The Committee also forms a sub-committee under the rules, and incorporates the sub-committee into deliberations. The Committee meets on the Internet once or twice per month. Meetings are generally open, minuted on the wiki, and publically readable.
The Committee's primary role is to manage the services and teams of the Community. The Committee is assisted by 2 other main groups, being the Arbitration Forum for the resolution of disputes and the policy group for the creation and approval of formal policies. The Committee directly manages the many teams of CAcert, each of which work within the policy framework of CAcert, document their activities and processes on the wiki, report to the Committee, and abide by rulings of the Arbitration Forum.
The outgoing Committee provides the annual report to members at the annual general meeting. The annual report includes a financial report, team reports, a summary of the year's events and a forward looking statement to assist the incoming Committee.
The Committee's Year in Brief
All minutes can be found on the wiki:
There is a summary of the Board's activities extracted from the minutes:
Strategy
In response to two factors (being, moves by the CA industry, and accusations in the previous year impacted over future auditors), the board took on a far-reaching reconsideration of the primary mission of CAcert, being in short to 'get into the browsers.'
The CA industry has now imposed multiple audits on the process, and browser vendors (Mozilla and others) have followed suit without any apparent question as to the costs and competitive nature of the process.
The increased costs in the process are perhaps doubling and tripling that which we have faced in the past.
As it was already in our minds that the cost of even one audit was unreachable, we are now faced with a dramatic challenge to the mission.
We are now of the view that CAcert will never enter the browsers via the classical path of audit.
This has far-reaching implications. In order to address this, the committee discussed some ways to better utilise the community to get the root into the browsers on a manual basis, including browser plugins and contract changes to facilitate member-empowerment.
However, it became clear that the community itself has to lead on this process. We need to get to grips with the basic message and our real capabilities, before we decide how to do things.
Location of CAcert
CAcert Inc is incorporated in Australia, the original location of its founding as a community. However it has been for many years clear that the center of gravity for the community was found in Western Europe across the belt of Germanic countries -- the Netherlands, Germany and Austria.
Efforts to bootstrap the creation of a larger Australian base have worked, but they have not been spectacular. Also, support for the Australian domicile has always been weak.
It is therefore our emerging view that we need to move CAcert's intellectual property and management vehicle to Europe, in order to better align with the strength of the community. How this is done is beyond the scope of this report, and this board's time. In brief, it would be a task of future boards to encourage local organisations in Europe to better take on the various functions now taken on by CAcert Inc.
The Committee's Forward-Looking Statement
July 2012 to November 2012 (AGM Time)
This period has already passed, and this section can be seen as a preliminary briefing on the period. However, the next year's full report will properly replace this entire section with a formal report.
- An effort was made to recruit more Australian members, and there was an assurer event in Melbourne, which resulted in two new members.
An affilliate program with booking.com was entered into that has resulted in welcome extra funds.
There have been ongoing talks with gooze to enable coorperation over marketing gooze products branded with CAcert.
- The internship arranged earlier terminated with useful progress, and a report has been submitted.
- There were continuing discussions about encouraging more arbitration. An arbitration team meeting was organised, and Alex Robertson agreed to take over team leadership from Lambert.
December 2012 to End-2013
Looking forward, the Committee has to face the two major challenges listed above.
In our discussions, we have reached the conclusion that we have to redefine our future as outside the industry's cartelised structure. Clearly, the industry have erected the barriers high, and thus we face high costs. The question of following or abandoning the industry turns on security and it is here that the industry has markedly failed. This has been for several reasons.
Firstly, the design of all Certification Authority security stretches back to at least 1995 when SSL v2 was released, and VeriSign as incumbent defined the field. (Actually, it stretches way back before that to the mid-1980s, and is influenced heavily by telecom committee work intersecting with public key ideas.) The security model of the time was not well founded, and it has become worse.
The point here is the security model has never been updated, while it is evident that the threat & risk scenarios have changed dramatically. In this sense 2011 was a coming of age year for the Certification Authority industry with a dramatic increase in attacks.
Secondly, how has the industry responded? In all cases - to attack and to absence of attack - it has responded with one mantra: more of the same. The industry has not moved to address weaknesses in the model, but has bolstered those very parts that keep it in business. As such, the industry is further distancing itself from the security needs of the Internet, at the very time that it might prove its efficacy.
Thirdly, and for one case in point, the users continue to be offered an agreement without liability and therefore of no value. In American parlance, the CAs have no skin in the game. Recent documents that are now seen as standards have even reduced the needs to make any representations to users, and vendors have secured guarantees of their own absence of liability. We ourselves have discovered this because our own audit criteria requires us to establish the risks, liabilities and obligations of all the parties, which the reader can find prominently in our CCA.
As we are a Community of Members, we must get closer to our Members, not further away. Therefore the industry cartel's approach does not suit us. Indeed, we frequently hear that our overall governance structure is far superior, and our offering is more balanced and more governed than any commercial CA.
Which leads us to where we go next. This is in three parts: Firstly we must engage the community on this message. Secondly, we want to explore the possibilities for browser-agnostic processes. Thirdly, we do not want to sit still on audit: we should continue our work to reach our internal audit, as an intermediate step for external audit, and we should also review our long-suffering DRC for improvements.
We must not fall to the trap of others - the worsening threat environment means we also want to review our own standards.