Minutes of the "Top" meeting 2007 September 17-21

Executive Summary

The Board and Advisory group of CAcert met in Pirmasens, DE, from 17-21 September 2007. The first three days were just these two groups (six people). On Thursday Philipp Gühring joined us to discuss software and system administration issues, and on Friday more officers joined to report on and discuss their areas of responsibility. We gratefully acknowledge Jens Paul's excellent organization of the meeting.

CAcert gratefully acknowledges Duane Groth's vision in creating CAcert.

Most importantly, the organization is "under control" again. The board has assumed responsibility for management from the auditor, gained control of bank accounts, domain names and servers, and is financially stable. Instead of the Advisory, there is now a formal management subcommittee effectively taking on the role of CEO.

The current board was elected on an "interim" basis, to take necessary actions and plan the Annual General Meeting. That AGM will be held 17 November 2007 22:00 UTC, on IRC. The interim board will step down before the AGM, which will elect 5 board members. The three members of the interim board have indicated they will be available for re-election. All community members are urged to become association members, and association members are urged to check that they are paid up, before the AGM.

The board approved some important policy documents. The Dispute Resolution Policy describes how important decisions can be driven. (Teus Hagen was appointed Dispute Resolution Officer.) The "Non-Related Persons Disclaimer and License" serves to disclaim CAcert's liability to the world in general. The "Registered User Agreement", limits the liability to our users, and binds them to the Dispute Resolution Policy. Lastly, the "Policy on Policy" determines how changes and new policies will be handled going forward.

Now CAcert can get on with the real job, inclusion in browsers. The current plan is still "Mozilla first", and to this end we are resuming the required audit. CAcert will request funding for the continuation of the audit from NLnet.

The attendees brainstormed ideas for increasing revenue, awareness and sustainability. We should have a detailed sustainability plan in December, after the AGM. In the detailed minutes it is important not to read the section on brainstorming ideas as if they are decisions; many are mutually exclusive. They are just ideas.

The Board was already committed to more openness in the organization generally, including policy making, source code, and decision making. This sometimes makes life difficult but is an admirable goal. Help is needed to achieve this goal for the source code. The exception to openness is the CAcert name itself, which we wish to control more carefully.

Day 1 -- Operations review

Meeting called to order 2007-09-17 09:20. Present: (Board) Greg Rose, Robert Cruikshank, Evaldo Gardenali, (Advisory) Jens Paul, Teus Hagen, Ian Grigg.

m20070917.1: Minutes of previous Board Meeting are approved.

Jens reviewed arrangements for the week.

Greg to email Philipp regarding times and titles for day 4 agenda.

Robert reviewed finances etc. There are three accounts (2 with Westpac and one with Credit Unions Australia). Use PayPal and PayMate for incoming money. Should think about moving to a more international thing like PayPal exclusively. Account name at PayPal is confusing ( paymate@cacert.org !) DUNS number is set up (75-605-6102). Discussion of assets; one relatively new server is in our possession, older ones are not. Discussion of income sources. Robert feels we are now in good enough shape to be able to do legal reporting. He has put together a "Treasury Compendium" of the process he went through as well as the passwords etc. This will be shared with board members for safe keeping. Discussion about changing bank accounts to something more international. Currently not urgent to fix this. Agreed to pay a back invoice for colocation fees, and recover our old servers.

m20070917.2: Agreed that we should make our financial year July-June (fits well with November AGM).

Review of past actions by CAcert board. Unless otherwise noted, previous actions are supported. Need policy for email addresses. Review status of super-assurers. Domains are owned by CAcert. Review status of source code. "Advertise on Google", despite being passed, doesn't seem to have happened. "Limits on Points Growth" was agreed but has never been implemented; this needs to be reviewed. "Board remunerations" was passed but not implemented (no payments appear to have been made). Review of "Auditor instructs no deals" necessary (later in meeting).

m20070917.3: Overturn previous board decisions "advertise on Google", "Limits on points growth", "Board remunerations".

Assets.

m20070917.4: That the board take control of the domains, and the sysadmins take control of DNS servers, thus effecting dual control.

m20070917.5: CAcert will vigorously defend use of its name, including for example stating that "CAcert is a trademark of CAcert Inc." in documents.

Planning for next AGM.

  1. membership register -- Evaldo says is a mess. There are 51 email addresses, corresponding to 50 individuals, but there is no information about joining date, currency, and in a few cases, nothing known except the email address. Agreed that Evaldo will send mail to past and existing members encouraging them to get current.
  2. requirements, allocation of tasks: Date of AGM to be 17 November 2007 22:00UTC, on IRC. Evaldo to issue preliminary notice, then a formal notice before 21 days.
  3. recruitment of new members. Greg Stark and Henrik Heidl to write a draft asking people to join, talking about mission, and so on.
  4. recruitment of new directors. Current board and advisory to work towards a high-quality slate of candidates for the next election.
  5. motions suggested on wiki at NextAnnualGeneralMeeting : Members of the association should also be registered users of the service (can change the bylaws to require CAcert certificate signature).

  6. mission of the Inc., responsibilities Inc. (To be discussed day 5)

m20070917.6: We will direct payment for membership to PayPal. In the future we will shut down the PayMate account.

m20070917.7: Election to be for 5 members of the Board of Directors. Board positions to be decided and announced within 14 days after the election.

m20070917.8: (Non-board operational) Officers of the project of the organization should be financial members of the association; the Board can make exceptions to this rule.

EU DPA

m20070917.9: The board accepts that CAcert is or intends to be subject to the DPA, and action is required to be in full compliance with this.

m20070917.10: The Board gratefully acknowledges Duane Groth's vision in creating CAcert.

m20070917.11: That the treasurer be authorized to pay budgeted expenses and minor normal expenses less than AU$100 without requiring authorization from the board.

Organization Chart: there was extensive discussion of th organization chart, and how to fill the various holes. What seems to work is to have small progress, getting people to do individual tasks, and they tend to grow into bigger roles. Some discussion about focusing on Scandinavia, UK, USA, and how to do better in those places. We serve the markets as we can.

m20070917.12: Agree to fund the Systems 2007 fair in Munich, DE (est E.1724)

Meeting adjourned 18:10

Day 2 -- Policies

Meeting resumed 2007-09-18 9:00

Minor change to agenda order.

Organizational Assurance Policy

Jens introduces the OAP. The proposal was examined in detail and substantial changes made. The document will be re-introduced for approval later.

HR issues

Reiterate discussion from yesterday. Emphasis on recruiting particularly from UK and Scandinavia, before assigning officer's positions. Discussion continues about potential board candidates.

Risks, Liabilities, and Obligations

The Auditor introduced the issues. The board reviewed the proposed documents.

m20070918.1: The Board approves the document titled "Non-Related Persons Disclaimer and License". In an abundance of caution, the document will also be presented for ratification at the AGM.

m20070918.2: The Board agrees in principle to the process of arbitration for dispute resolution.

m20070918.3: The Board approves the Dispute Resolution Policy as discussed in the meeting.

The board discussed the difficulty for a new user to tell the difference between "official" wiki pages, as opposed to working pages, advice pages, and so on. The board believes that the Documentation Officer is in charge of this problem. Our suggestion is to split the wiki at a high level, to have write-controlled pages for official use, policies, etc.

While discussing the RUA, the board noted that there is no mention of retaining assurance documents in the "web of trust" web pages. The Documentation Officer is requested to rectify this.

We reviewed the RUA, and among other things noted that the privacy section needs to be reviewed by the Privacy Officer.

We noted that the introduction of a monetary limit on liability changes the philosophy of CAcert; unfortunately the requirements of the legal framework within which CAcert exists appear to make such an admission of liability necessary.

m20070918.4: The Registered User Agreement as discussed and modified is promoted to DRAFT status as written in the (not yet approved) Policy on Policies, and is therefore working policy for the community. The period of DRAFT for this document is until the AGM.

Principles

m20070918.5: The principles part of the Mission and Principles document is approved for the time being, but it is expected to evolve further.

There was discussion over dinner of a Mission (or goal). "Reasonable Security for the Community".

Meeting adjourned about 21:30

Day 3 -- Audit stuff

Meeting resumed 2007-09-19 09:10

History

Discussion of the history around an independent (of WebTrust) audit; aimed at entering Mozilla's root list. Real goal is to try to get into "Mainstream browsers". Also intended to assure us of security of our internal processes, risks, etc. We choose to aim at Mozilla first. We reviewed the DRC (David Ross Criteris). Auditor considers that the Board should be in charge.

m20070919.1: The board declares that it is up to speed and is in charge of CAcert assets and procedures.

Auditor now believes that we can resume negotiation with other parties eg. Linux distributions.

Code Auditing: "ascii" (Francesco Ongaro) is doing a code audit on his own schedule. He has found several severe bugs; followups were delayed. There has been no general call for code review. Agreed that there should be more opportunity for community review. System administration and development should be separated ASAP. After discussion, it seems clear that a committee should take on the task of getting a system administration team in place, and the move to Oophaga in progress.

m20070919.2: Create a management sub-committee tasked with certain "CEO-like" duties, in particular staffing. The sub-committee consists of Jens Paul, Teus Hagen, Evaldo Gardenali, with Ian Grigg to have an observer/advisor status.

Internal Audit: the management sub-committee should also be looking for a volunteer for the Internal Auditor position.

Quality control: ditto.

Discussion about the CCS; movement is necessary. The big holdup seems to be the security manual. We reviewed the existing outline. It needs work. The joke copy of the CAcert security handbook should be "svn removed", as it was never meant to be taken seriously (we hope).

Left over from yesterday, we reviewed the changes to the DRP.

m20070919.3: The draft Dispute Resolution Policy is approved to move to the status of POLICY.

m20070919.4: The Policy on Policy is approved by the board and moved to DRAFT status, until the AGM. Note that this decision moves policies, from now on, under the control of the Policy mail list.

Governance

We discussed this agenda item. Oversight by the auditor has terminated as agreed in the motion above. The "four eyes" control and dual control duties will be defined in the Certification Practice Statement, to be agreed as a policy. The Management subcommitee should take this as a priority task.

Systems issues

The hardware is soon to be under control of Oophaga. With this change, we make progress towards dual and/or four eyes control of administration. Day 4 is devoted to systems issues. When should the audit be restarted? The logical time seems to be soon after the machines are moved to the Netherlands. We agree that we have to put in procedures that guarantee the security of the root keys. These procedures are more strict than the previously applied procedures, and obviously did not apply to the old root keys. Therefore, once the new procedures are in place, we will create new root keys and deprecate use of the old keys.

Audit funding

We discussed and updated a proposal for funding of the audit.

m20070919.5: The proposal to NLnet for funding continuation of auditing is accepted by the board and will be communicated to NLnet by the President before October 1.

Sustainability Funding

We conducted a brainstorming session around the subject of sustainability. The following is just a list of ideas. Don't read anything into it.

Meeting adjourned 18:30

Day 4 -- System issues

Meeting resumed 2007-09-20 12:00 (after a tour of the Westwall Museum)

Today is devoted to system issues. Philipp Gühring joined the meeting.

Philipp's presentation is Systems.pdf .

Architecture: Currently trying to move the non-security systems (wiki etc) to Netherlands. Eventually Netherlands will be main center with Austria having "hot" data backup (not really "hot", but ready to take over). Reviewed designs for the distributed architecture. "Airlock" special proxy server for protecting web traffic is being evaluated. Philipp presented the architecture evolution.

m20070920.1: empower auditor to follow the trail of offsite backup.

Might need a nice open source package to implement encrypted log files. Logging issues require further study.

Migration: Did a quick move from AU to AT late 2006; data transfer was secured, but status of data (that is encrypted) on the original servers (and servers themselves) is unknown at the moment. Expect final clarification within 1-2 months? Serial link to signing server is currently unreliable (bit errors), so sneakernet is used for CRL transfer weekly. Hard to diagnose this problem. OCSP, Backup, svn, IRC have been moved to NL. Current offsite backups are done by a secure storage company. Agreed that the identity of this company be stored with the board in some "multiple eyes" fashion. Also Auditor is empowered to be told who it is and satisfy himself that the storage is secure.

Security Manual: Philipp working on threat model first, leading to the security manual.

Board agrees that if there is to be unpublished sections (eg. of security manual) they should be replaced by a justification of the reason for not publishing.

Discussion about the security manual. Since it can never be perfect, we asked how soon the first usable draft will be available? We agree that it is reasonable to take shortcuts going from threat model to security manual, but not to avoid doing the threat/risk analysis. Philipp requests that we all do some brainstorming about the threats and communicate them to him.

Assets: 3 machines in AT are loaned (possibly with an agreement that they are not wanted back); theoretically there is a threat that the owners might want them back or even sieze them without warning. Machines are marked as under responsibility of Philipp, so that they won't be taken in the event of the location going out of business. Try to get a donation agreement signed.

Agreement that Evaldo might be given admin responsibility for some non-core systems, like the test system. Possible conflict of interest (being a board member) stops him helping with core (eg. svn, signing) systems. [refer to later decisions regarding call for sysadmin help.]

Support: still only 2 people really doing it (one of them is a fraction of Philipp). Need some more people to do this. This is done with encrypted IMAP mail boxes at the moment; probably OK for the scale needed. Thought that there is no accountability for support at the moment... but the IMAP system can keep copies of the emails in and out. Evaldo notes that there are probably open support issues that were lost in the past, probably nothing can be done about this. Going forward it would be good to be able to get statistics about support (a ticketing system might help here, but none found acceptable yet. Question about mixing languages on support list, also support is often given by local lists in local language.

Agreed that people giving support in local languages on local lists be asked to cc: a special archive list, for recording and dispute resolution reasons. This archive should not be public, since private information may be submitted by people.

We need some mechanism to cross check reliability of core support people, currently the mechanism is TrustCheck, but TrustCheck is currently stopped.

Open Source: We hope to make movement to open source a priority. Our plan is to "Investigate, decide, implement". Board is to ask on policy list for help.

m20070920.2: Agreed to ask that the new email system can be set up to automatically archive everything on "official" lists. Privacy officer to be consulted before actually implementing it.

Software:

Reviewed software that exists / is being implemented / is desired. Yellow flag raised... need more people for this.

Board wants future discussion about the Tverify program.

It would be nice to prioritize the software project list, identify items that are critical to current operations of CAcert, and estimate the magnitude of the tasks. Making progress will attract attention and other good things to CAcert.

Issues: Advertising is controversial. Need to find contract with existing advertisers (apparently signed by previous board; current board was not aware of its existence).

m20070920.3: treasurer is single point of contact for advertising issues.

Recognize that TrustCheck or something like it is extremely urgent. [see below]

Audit criteria is a possible problem. Asked auditor to investigate ramifications of auditing to both criteria, or switching to WebTrust criteria.

Board Session

There is a very strong motivation for the migration to happen quickly. CAcert should make the strongest possible statement about how much has migrated in the near future. Philipp is advised that we want to do as much as possible as quickly as possible, in moving the functions to NL.

Request Philipp to forward his (amended) presentation to Management subcommittee ASAP, for publication.

Should we pre-identify and brief a lawyer in NL in case of subpoena? Generally agreed that the management committee should try to identify such a lawyer. Teus has some contacts. Philipp points out that we should think about contacting lawyers in US and Australia. Greg has contacts.

m20070920.4: Management committee is authorised to investigate such a relationship in NL. Board members authorised to investigate in AU/US.

Discussion of TrustCheck

Proposal to restart the program. Problem is that the details are not known, so can't restart instantly. Board and Advisory need to see the details before we can proceed. There might be privacy concerns and/or legal issues. Philipp to distribute details to Board/Advisory. Discussion about details of TrustCheck are deemed worthy of secrecy on a "need to know" basis. Perhaps we want to change the name.

Is TrustCheck part of the problem? What we end up with may be very different.

Can we separate the pool of administrators and machines to low and high security? What can we do to get more admins?

m20070920.5: do a call for sysadmins, specifying certain requirements and areas of duty. For the time being, suspend the TrustCheck requirement in favour of personal estimates of worthiness by Philipp and management subcommittee. For "high risk" systems a proposed sysadmin should be approved by the board. Support to be treated the same.

m20070920.6: Appoint Teus Hagen as Dispute Resolution Officer.

Meeting adjourned 18:45

Day 5 -- Officer reports

Meeting resumed 20070921 09:15.

Joined by other officers: Henrik Heigl (PR), Mario Lipinski (Events), Rasika Dayarathna (Privacy), Sebastian Küppers (Documentation).

Introduction by Greg Rose.

Education report by Jens Paul. Slides are EducationReport. Education Officer gave us training on how to be an officer. Assurer test is important and ready to go out. Question: what languages are neccessary, and how do we handle requests for new ones? Agreed that we accept translations even if we are not certain they are correct; we are still ahead of current practice (which is no test), and disputes can always correct them. Jens gave a demonstration of the test software.

Human Resources by Teus Hagen. Reviewed the organization chart as approved elsewhere. This is not a final structure, it is expected to evolve over time. It was agreed that effectively the Management Subcommittee has taken over from the Advisory Board. See also the [Advisory "advisory wiki page"]

Events by Mario Lipinski. Slides are EventsReport.pdf. Noted that event organizers are legally responsible for the event, not CAcert Inc.

Public Relations by Henrik Heigl. Slides are PublicRelationsReport.pdf. Also Jens Paul mentioned the article published in the August issue of <KES>.

Our first dispute!.

We took time out of the agenda to talk about the first dispute lodged under the Dispute Resolution Policy. Since the details of the dispute resolution should be private, and anyway it had not yet been assigned appropriately, we discussed a "straw man" case similar to the one in question.

Before: Arbitrator Greg Rose (A). Respondent: Teus Hagen (R) Claimant: Evaldo Gardenali (C) Case: a20070921.1

1. A: The case will be heard hypothetically only.

2. A: Are the parties happy to have hearings in front of group? Yes.

3. A: Claimant claims that Respondent was assured even though he didn't have documents on him that proved he was indeed the person on the website.

4. A: Claimant, did you ever certify Teus?

5. C: Claimant challenges Respondent to produce official dox that match the name. 6. A: A reasonable person should know that first names may differ according to conventions. There is little or no difference between Greg and Gregory.

7. A: Uphold the right of the claimant to refuse the assurance.

8. R: You might choose not to set a rule that applies to any other case. We cannot go back and change the cases where this occurs. Every policy and change can cause severe systems changes. There are costs in just fixing. If there is a rule, did it happen after the first assurance of Respondent has happened? Be careful.

9. A: I undertook a reasonable man's search for the rule, and couldn't find it.

10. A: I direct CAcert (the board) to clarify the rule. I do not make an order on this issue.

11. A: If the Claimant had acted badly, we might have to revoke all certificates. There seems to be no intent to act badly in this case.

12. A: If the Assurances were to be revoked it would cause a ripple effect. Therefore no such order is made.

13. A: I Dismiss the action.

Arbitrator closes the case.

Documentation by Sebastian Küppers. Slides are DocumentationReport. Discussion about an agreed format for documentation.

System Admin, Support and Software, by Philipp Gühring (and partly on behalf of Guillaume Romagny). Slides are SystemSoftwareReport. The lack of a security manual is a real problem. We should all try to help by asking around. "We need someone who is experienced in threat modelling, risk analysis and writing security manuals."

Privacy by Rasika Dayarathna. Slides are PrivacyReport.

Organization Assurance by Jens Paul. The OAP was approved earlier in this long meeting.

Auditor. Ian Grigg gave a verbal report of the status and resumption of the Audit. See also AuditPresentations. He then proceeded to review some of the other documents that had been approved this week (Registered User Agreement, Non Related Persons Disclaimer and License, Principles of the Community).

Oophaga Agreement was officially signed.

There were a number of cross certifications, and two new members joined.

m20070921.1: To accept two association membership applications (Henrik Heigl, Sebastian Küppers).

Meeting closed 20070921 17:50. Good job, well done.


CategoryBoardMinutes

TopMinutes-20070917 (last edited 2009-09-27 04:40:32 by Mario Lipinski)