• Audit
• CommunityReport20081007short

(Brief) Audit Report for AGM. See also the (long) Report to Community 20081007 on same day, and all other reports.

SITUATION

1. Systems are moved: new team is working through its milestones.
2. documentation is now in reasonable shape. Two major shortfalls:
   1. Security Manual.
   2. CPS email/domain checking is a major issue as there has been little forward movement on this, and it is now going to cause problems.

PLAN

1. end November:
   1. root creation for top-root and Individual-Assured subroot.
   2. three milestones given to new sysadm time (discuss with Wytze).
   3. introduce sysadm team to Security Manual
2. December:
   1. Security Manual work-thru
   2. Make a plan for operational review as per DRC-C (depends on 1.b above).
3. January:
   1. work through the email/domain checking.
   2. perhaps start operational review (2.b and 1.b above).
   3. Move AP to POLICY
   4. start operational review on assurance.
4. Feb:

   1. if all goes well, think about a limited audit report ==> Mozo.

AUDIT

1. CPS is partially updated to incorporate a wip Relying Party Statement:

Think about that: it is the link between Assurance and Certificates and Reliance, leading on to Disputes. Get that right, and things are solid. Get it wrong and the edifice teeters and totters.

1. A lot of time has been taken up by the LISA presentation.
2. Security Manual: some of the experienced are being copied in. I hope to talk to Pat this weekend and get a handover of some form on the SM.

BIG PICTURE

1. Since 2006, Mozo has now changed track to a dual-path: EV and "non-EV". EV stands for "Extended Validation"
2. Board prefers to maintain *high standards*. But accepts short-term audit approach of new root going into Mozilla in their "non-EV" track.
3. Propose limited audit report on Individual Assured Members subroot only. Do the rest later.
4. Could be proposing this by Feb-April if the operational review goes OK.

FUNDING

• Phase 1 is now complete as far as NLnet/funding is concerned and phase 2 payment is now in.
• I will look at clarifying the expenditures in December, after I get back from US and all expenses are clearer. Likely, we will have used up most of the expenses and most of the work budget for both phases, but there should be enough left for some trips to the Netherlands for operational checks.

SUMMARY for YOU

1. fix that CPS bug: email/domain checking
2. think about how to help the tech side. Easy fixes: Lots of small systems on the non-crit area, or fix some source code.
3. if you are in the OA area: get some doco out there, and look at those bugs.

END

See also the (long) Report to Community 20081007 on same day, and all other reports.

CategoryAudit