''Reviewed:'' * [[https://community.cacert.org/board/motions.php|board motions]] * [[https://blog.cacert.org/|blog]] * [[Community/Update]] * [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes|Board's minutes]] * [[https://lists.cacert.org/wws/arc/cacert-board/2009-07/|Board's archived open email traffic]] * Board's archived closed email traffic ''To review:'' * [[https://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-20100130/CAcert_Annual_Report_2009.pdf|Annual Report forward looking statement]] ''Notes:'' * '''DO NOT bother with formatting or links''' because this has to be reformatted for final publishing in some document preparation tool * ''only major events are entered here ... if it is better reported by the Team then we should do that.'' ----------- CAcert's Year July 2009 to June 2010 20090725 The Special General Meeting was held at the request of Member Nick Bebout, seconded by Member Mario Lipinski, with several significant resolutions: * A rule change was proposed by special resolution including making the status of Assurer the only requirement for membership of the Association, increasing the Board to 10 seats, and others. With 24 AYES to 14 Nays, it did not meet the 75% required for a special resolution. * A resolution addressed the board, and stated, we association members were “disenheartened at the breakdown of working relationship.” It passed with 35 AYES to 5 Nays. * The second resolution also addressed the Board and proposed “the committee no longer enjoys the confidence, of the members, and [they] are removed.” It was duly voted and passed with 20 AYEs to 16 Nays. With that resolution the board was relieved and opened for the next item. The final business of the SGM was to elect a new board for the interim period: * Nick Bebout (President) * Mark Lipscombe (Vice-President) * Ernestine Schwob (Secretary) * Philipp Dunkel (Treasurer) * Guillaume Romagny (Ordinary Member) * Andreas Buerki (Ordinary Member) * Ian Grigg (Ordinary Member) These were adjusted to swap Ernestine Schwob and Philipp Dunkel's positions. https://blog.cacert.org/date/2009/07 20090728 Board established three priorities: * get control of the payments accounts, starting with m20090728.2 https://community.cacert.org/board/motions.php?motion=m20090728.2 * analyze and solve the data protection issue. The first step was to terminate the activities of the subcommittee of the last board, m20090728.3 https://community.cacert.org/board/motions.php?motion=m20090728.3 in order to limit the liabilities and protect those members. * move all infrastructure machines out of the Bit, Ede secure facility that held the critical systems. https://lists.cacert.org/wws/arc/cacert-board/2009-07/msg00362.html As well, the Board decided to keep the private mailing list set up by the last Board. But, as Rule 23B had failed to be adopted as an Association special resolution, the Board also voted it into effect as a Board motion, m20090728.4 https://community.cacert.org/board/motions.php?motion=m20090728.4 requiring the Board to routinely keep business public, to formally decide by motion when to close the deliberations, and to publicly disclose the topics and reasons. Open governance was established. Shortly thereafter, Board established a private list for all "corporate actions" being those formal communications sent to a board member that should be seen by all. m20090910.1 https://community.cacert.org/board/motions.php?motion=m20090910.1 20090815 CAcert sysadms met up at HAR2009 http://www.har2009.org/ One task they were able to handle easily was the destruction of some older physical drives. This was the second time a new procedure had been followed in drive destruction; this time it was easier because of onsite hardware from a commercial company. http://blog.cacert.org/wp-content/uploads/2009/08/slide_dscf0007.jpg https://blog.cacert.org/2009/08/413.html 20090815 Board adopted a Community Communications practice that was substantially open, and placed power with the team leaders to grant access. No longer was it required for the Board to approve any access to a community tool such as email, blog or wiki. https://community.cacert.org/board/motions.php?motion=m20090815.4 20090815 Mark Lipscombe took on the Public Officer role, replacing Robert Cruikshank. 20090928 CAcert introduced a new concept to the community from the Assurance Team: CARS or CAcert Assurer Reliable Statement. This was introduced so that our Members can send in reports on events, training, co-auditing and other important things. At the bottom of the report, the Member types her name and CARS to indicate that the above words are reliable enough to present to an Auditor, the Arbitrator or any other member with needs to rely. Throughout the year, this concept was rolled out. https://wiki.cacert.org/CARS https://lists.cacert.org/wws/arc/cacert-board/2009-08/msg00373.html 20090911 A new signing server was commissioned by the Netherlands team, thanks to a donation from NLUUG, the Dutch association of (professional) Open Systems and Open Standards users to Oophaga. https://blog.cacert.org/2009/11/444.html http://www.deboca.net/cacert/slide_IMG_1546.JPG 20090914 The board shut down all the older "special programs" until they could be properly written up by policy group. This is required because they breach the Assurance Policy, making audit a necessary fail. https://community.cacert.org/board/motions.php?motion=m20090912.1 20091001 We adopted a push for client certs. The Blog and the mailing lists were configured to join CATS and the main website. Overall this experiment was successful: although it takes some setup, afterwards the troubles are few, and far less than with passwords and spam. https://wiki.cacert.org/ClientCerts https://blog.cacert.org/2009/10/426.html https://blog.cacert.org/2009/10/435.html 20091004 Iang posted a Funding subproject called Adopt-A-Page that intended to drive our page value up. https://blog.cacert.org/2009/10/424.html http://wiki.cacert.org//comma/SpecialCampaigns/AdoptAPage 20091015 Immediately after the above, we received notice that Thawte, a South African CA owned by Verisign, were shutting down their web of trust in one month. As CAcert ran a program called Tverify to accept the points from their program at par, this effected us. To help the people transition from that old and popular web of trust, the Board voted to extend the Tverify program until the Thawte access was shut down on 20091116, as at that point we would not be able to verify the points. Also, the Board voted to give Tverify people a year to get assured, which will be up very soon after this report goes to press. https://community.cacert.org/board/motions.php?motion=m20090928.1 20091115 Ongoing discussions about the Arbitration backlog and Support blockages reached the Board. https://lists.cacert.org/wws/arc/cacert-board/2009-11/msg00075.html These were in deadly embrace, as we could not appoint new SEs without Arbitrated Background Checks (ABCs), and we could not fix Arbitration without a better support team. ABC was written into the Security Policy by Philipp Dunkel to replace the old undocumented "background check". To resolve the deadly embrace, Guillaume resigned as Support Team Leader, and the Board appointed Iang to revamp the team, assisted by Ulrich to push through ABCs. https://community.cacert.org/board/motions.php?motion=m20091115.3 https://community.cacert.org/board/motions.php?motion=m20091116.3 Concept of Triage team was introduced. 20091122 Board pushed to move infrastructure hosting outside the critical domain of BIT, Ede so as to make audit easier. Hosting in Vienna by Sonance was accepted, and a project to provide hosting in Berne was started. 20091126 Daniel Black presented on certificate infrastructure at OSDC.com.au. 20091106 Finally, CAcerts CPS or Certification Practice Statement was put onto the main website in DRAFT mode. This document took over 3 years to write, and during the journey, outsourced many of its tricky parts into other strong policies: Assurance Policy, OAP, Dispute Resolution Policy, Policy on Policy, Security Policy, CCA, etc. 20091206 The Board completed its analysis of the data protection issues of CAcert's operations, and concluded that we were in compliance. https://community.cacert.org/board/motions.php?motion=m20091206.3 20091211 Arbitration documentation project was started by Ulrich, and speed-ups were examined. 20091215 Assurance team met in Hamburg for a MiniTOP. PoJAM or Policy on Junior Assurer/Members was started. https://svn.cacert.org/CAcert/Assurance/Minutes/20091215HamburgMiniTOP.html 20091216 Software people met in Essen for a MiniTOP. The new repository was up and running, and attention turned to test and developer systems. https://svn.cacert.org/CAcert/Software/Meetings/20091216-Essen/20091216-Software-MiniTOP-Essen.html At the following Board meeting, the Board requested that additional members be brought into the Software Assessment Team, but progress was very slow. https://community.cacert.org/board/motions.php?motion=m20091220.2 20091231 It was decided to move the DNS and OCSP from the infrastructure team to the critical team, thus placing it under the regime of Security Policy. https://community.cacert.org/board/motions.php?motion=m20091231.1 Shortly thereafter, the main cacert.org domains and domain account were also moved to the critical team. https://community.cacert.org/board/motions.php?motion=m20100103.6 20100103 Lambert was appointed to DRO or Dispute Resolution Officer, after Nick resigned late December. To be assisted by Ulrich. Pace on the documentation picked up. 20100103 A draft of the financial report was presented by Ernestine. 20100117 Board discussed the new roots situation in depth, but still no plan, no team. https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00102.html 20100130 The Association held its Annual General Meeting. At that meeting, the report was presented, including Board's report, Financial Report, and 13 team reports. At around 70 pages, the document was hefty. A set of resolutions was passed into the Association Rules, and a new Board was elected: * Lambert Hofstra (President) * Daniel Black (Vice President) * Ernestine Schwob (Treasurer) * Mark Lipscombe (Secretary and continuing as Public Officer) * Nick Bebout (Member) * Mario Lipinski (Member) * Ian Grigg (Member) https://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-20100130/images/Lambert.jpg https://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-20100130/CAcert_Annual_Report_2009.pdf 20100201 Policy group voted the PoJAM to DRAFT, giving members and assurers under 18 the way forward. 20100202 With the passing of a special resolution reducing signatories required for payments to one, the Board was able to start making payments after a delay of 6 months. Two patient creditors were paid, being Iang and Oophaga. 20100206 Fosdem 2010 was a big event for CAcert with Assurance Booth and event. Iang gave a 15 minute lightning talk at Fosdem in Brussels called "Client Certificates - The Old-New Thing" https://wiki.cacert.org/Technology/KnowledgeBase/ClientCerts/theOldNewThing Assurance Team held a MiniTOP in Brussels. Main topic was to plan the new co-auditing year in preparation for Audit. https://svn.cacert.org/CAcert/Assurance/Minutes/20100206BrusselsMiniTOP.html 20100213 Software team MiniTOP in Offenbach reported on state of repository. https://svn.cacert.org/CAcert/Software/Meetings/20100213-Offenbach/20100213-Software-MiniTOP-Offenbach.txt 20100221 Ulrich was appointed as Assurance Officer by Board, taking Sebastian's place. https://community.cacert.org/board/motions.php?motion=m20100222.2 Michael Tänzer appointed as Support Officer, taking Iang's place. https://community.cacert.org/board/motions.php?motion=m20100222.1 20100306 Daniel Black appointed as Infrastructure Team Leader. https://community.cacert.org/board/motions.php?motion=m20100309.3 20100327 Walter Güldenberg appointed as Events Team Leader, replacing Ulrich. https://community.cacert.org/board/motions.php?motion=m20100327.1 20100304 In response to concerns raised about privacy and security in Support Team, especially for the new Triage team, and OTRS, the Support Team's new tracking system, it was decided that neither would be directly under Security Policy, but they should be documented under Security Manual. https://lists.cacert.org/wws/arc/cacert-board/2010-03/msg00001.html 20100306 CeBIT! The major event of the year was well attended over the 5 days with a team of 8 to 12 Assurers. Co-audit program was finalized for the year and started. 20100308 Ulrich started a task list of running Projects which can be found in the Wiki. https://lists.cacert.org/wws/arc/cacert-board/2010-03/msg00018.html https://wiki.cacert.org/OverviewProjectsBoard 20100309 Ernie uploaded the new Association Rules, reflecting all the Special Resolutions from the AGM. 20100324 First ATE of the season: ATE-Sydney! http://wiki.cacert.org/events/20100324Sydney 20100326 Board vetoed the DRAFT status of Security Policy regarding point 9.1.4.2 due to a perceived conflict between background checks over Board and CAcert incorporated rules. The decision m20100327.2 followed Policy on Policy's limited right for the Board to veto a policy in DRAFT mode, PoP 4.6. https://community.cacert.org/board/motions.php?motion=m20100327.2 20100330 Software-Assessment Project telco reported GIT was successfully tested, and discussed a Testserver Management System. 20100422 Andreas introduced a contract to the Board of CAcert Inc. to agree to as a formal hosting arrangement with a Swiss hosting company. https://lists.cacert.org/wws/arc/cacert-board/2010-04/msg00083.html Much discussion followed, for three months or so, and it both consumed the lion's share of board time, and polarized the members. https://wiki.cacert.org/Technology/Laboratory/Hardware/InfrastructureHost/Bern/Contract The basic proposal was that the contract could not be changed, but the Board declined to accept that position for a number of reasons. Vigourous debate was conducted in email thread, wiki page, board meeting minutes, and in outside channels. Many pros and cons were advanced. A counter-proposal was written. In early July (20100707), the hosting offering was withdrawn by the supplier after the stated period for acceptance (until end of June) had elapsed. 20100516 Policy Group brought the CCS or Configuration Control Specification to DRAFT. This is the "index" for audit's view over policy. 20100605 Security Policy goes to DRAFT! After the board's veto, the policy group swung into action and reviewed the policy. A lot of tidying up was done: * The part suggesting that Board should have background checks was removed, as it related to a time before the new Associations Act 2009, which includes new requirements for Board to declare their interests and conflicts. * The Application Engineer role was removed, this goes back to Sysadms. * As it was going into vote to go back to DRAFT, the Software Team came in with a demand for stronger control over installing of patches. As a result, the Application Engineer was dropped, and this role reverted to the critical sysadm team leader. As a compromise this area was kicked across to Security Manual, and as the control system for installing patches evolves it can be documented there, for later inclusion into the SP. With that, policy group also announced that the full set of required audit policies was now in DRAFT or POLICY. This represents a major milestone, completing a 5 year project to prepare the documentation for Audit. 20100530 Minutes written for the AGM by Iang, to be reviewed by all, and presented at next AGM. https://svn.cacert.org/CAcert/CAcert_Inc/General_Meetings/AGM-20100130/Minutes-20100130-AGM.html 20100614 Password Recovery With Assurance was announced, based on Arbitration case a20100407.1 https://wiki.cacert.org/Support/PasswordRecoverywithAssurance 20100615 Scheduled downtime as the systems were moved from one rack to another. Thanks to Stefan, Wytze, Hans and Bas. https://blog.cacert.org/2010/06/473.html https://lists.cacert.org/wws/arc/cacert-board/2010-06/msg00021.html