Current Key Persons

The following members are listed as key persons. In the case of an urgent emergency try to contact the keypersons-mailing list , or one of those members.

Persons in () were asked but did not respond with their data, they are meant to be on the list. Two persens on the list currently do not get the data on their own request.

Procedure for maintenance of the Key Persons List

Introduction

According to the Security Policy section 6.4 the Board must maintain a Key Persons List with all contact information needed in case a disaster recovery is needed. This page describes how this list is constructed, maintained and made available even if CAcert's core infrastructure is not available.

The list is currently maintained by EvaStöwe based on motion m20160521.5. The described procedure was last changed at 2016-09-09 by EvaStöwe based on motion m20160702.6.

Who should be on the list

The following people are meant to be on the Key Persons List:

Not essencial but possible:

The following roles are currently not available but may be added if available:

Additionally contact data for secure-u should be added, if possible. Secure-u board may be added on their request.

The decision about who is on the list lies in the hand of the maintainer of the list but should be coordinated with board and teams.

Which contact information should be maintained

The following contact information should be maintained for each list member:

Also:

How to collect the information

The board designates a person (can be a board member, but can also be one of the other key persons) who is responsible for collecting the stated contact information from each key person on the list. Collection will be generally by emailing each list member with a request to supply his/her personal contact information, and a request to supply an update whenever something changes. The collector compiles all received contact information in a single overview ready for distribution (see below).

Each key person is also asked to provide a CARS that he/she will only use the data from the key persons list for CAcert desaster recovery reasons. This can be updated to include also management, distribution and furhter handling of the key persons list or anything else directly related to the purpose of the collection of the data.

If a key person cannot give such a statement, the other key persons have to be asked for there consent before that person is provided with the data.

Updates

The collector will poll all key persons to verify whether the contact information is still up-to-date, and apply the updates to the compiled overview.

How to distribute the information

Because most of this information is likely to be privacy-sensitive for most people, the information will only be distributed to other key people list members with a strict instruction to only use it for purposes of CAcert disaster recovery support.

The collector will send out a complete Key People Contacts list every 3 months by email to all people on the list. This way every list member should have a reasonably up-to-date version of the required information in his mailbox.

A warning should be included for people with a user@cacert.org address: they should save this message to a location which is not directly dependent on CAcert infrastructure, since that may not be available at the time the list is most needed!

All key persons are asked to handled the data carefully and to consider encryption as long as this does not interfere severly with the availability of the data for each key person.

Leaving Key Persons

If members on the key persons list stop to be active in the roles for which they are on the list, they should be replaced by more active members, if there is no specific reason to keep them on the list.

Any member who is removed from the Key Persons List, should be informed about this step and should be asked to delete the data, as soon as there is no further need to keep it. Their own data should be removed from the next version of the list that is distributed.

Additions

Additionally to the key persons list a mailing list can be maintained with all key persons. The key persons data is not meant to be send over this list in normal situations. The mailing list is meant to be used for reporting of possible emergencies and possible desaster recovery.

Anybody should be able to send to that mailing list.

possible mail templates

to be added when available

Updates to the procedure

According to the Security Policy, maintaining the key persons list is a task of board. The board of 2015/2016 has issued motion m20160702.6 about the maintenance of the KPL procedure:

KPL Procedure may be changed by Delegate

Resolved, that Eva is delegated the keeper of the KPL, and that this role includes the ability to change the procedure.

Update at 2016-09-09

The procedure was updated via:

The update was necessary as:

  1. it was unclear what the correct version was at the time where Eva took over the task because of undocumented changes
  2. the selection of who should be on the list was found to be not in line with Security Policy requirements
  3. the prior version required S/MIME usage of all key persons which was not possible for at least one person, again
  4. the required mail templates were considered too strict and restrictive
  5. the requirement to delete public keys was found to be ridiculous and not helping to ease the way to contact key persons

Main changes:

Inputs & Thoughts



SystemAdministration/Procedures/KeyPeopleContacts (last edited 2019-11-03 16:09:16 by WytzevanderRaay)