Next in a series of Community Reports on the Audit project. This one is aligned with the final signing of Iang memorandum. Previous and Next in series of reports.
1. Policies
a. All major completed policies are now approved to POLICY status, meaning the PoP and CCA, and all are now on the main website at http://www.cacert.org/policy/ .
b. As CAcert Community Agreement (CCA) is now POLICY, we need to get everyone to agree to it. Of course! This makes for major changes: There need to be checkboxes on the CAPs and COAPs, certificate issuance page, membership joining page, and other things as listed in the CCA itself. This work is outlined at RolloutCommunityAgreement and you will see that quite a bit is already done.
c. From the feedback we have (lists, CeBIT, CATS) we know the CCA has been accepted by the vast majority of members. There have been a few negative comments, and these have been debated on [Policy] list and probably elsewhere. On the whole, comments were not unexpected: the "high" liability limit and the Arbitration jurisdiction. This does rather put the onus on CAcert's system of dispute resolution (Arbitration) to develop a fair and efficient tradition of solving problems. For that we need time, and some real disputes, of course.
d. Assurance Policy work is slow. We have debated heavily a suggestion to drop Date Of Birth. That's a debate in progress. Once that debate is concluded we can look at other things to strengthen the WoT and to make the Assurance more efficient and safer. These are listed in the top of the document.
e. Pat Wilson (Paw) has started the SecurityManual and there is lots of filling out to do. Help if you can!
2. Systems
a. The critical path for the audit remains the critical systems. That is, the machines that implement the core-db+user-app and also the (rootkey) signing capabilities. These need to be installed in the BIT data center in Ede, Netherlands, and brought under dual control. (A recent report from the software development side was that signing link protocol was improved and is now more reliable, which may enable more forward progress.)
b. To unblock this critical path, CAcert's board has recently tasked Evaldo Gardenali on building the sysadmin team, moving the systems to Netherlands, and putting dual control in place. This will involve spending money, and luckily, the NLnet budget provided for such purposes. More on that as it unfolds!
c. CAcert does not have enough systems administrators to implement dual control, nor to run all the machines, nor to move the critical systems. Evaldo has put out a call for that recently, and he is busy working through early discussions with people. M-SC is going to evaluate the proposals on scheduled meeting 20080327.
3. Assurance
Have you done the Assurer Challenge yet?
The CATS rollout of the Assurer Challenge proceeds with some 300 or more Assurers now through, and the success of your Challenge is now marked into the internal database of CAcert. Next technical steps are to show this status in the member interface. It is also possible to do the Challenge in German!
As you might recall, CATS was rolled out as an independent server so it is a client or supplier of CAcert as far as the software goes. Something about using our client certificates, or dying in the attempt! This is working out well, I think, and a little work done there also saves us a lot of work in the future.
Now that enough Assurers are through the Assurer Challenge, and pretty much all of the needs are in place, there is one remaining major change to make: Deciding when the Challenge is obligatory. For that, M-SC or the CAcert Board will be asked to consider a date. After that, the system will be changed to block further assurances by people who have not done the Challenge. My guess will be within 3 months.
4. Audit Admin
a. Audit criteria are now all online at https://audit.cacert.org/drc/browser.php . Note that you will need a CAcert-issued client certificate installed in your browser to access this site, so best bet is to visit this site while doing the AssurerChallenge (have you been challenged yet?) or immediately afterwards. (Note how we benefit from CATS leading the way with our client certs!)
Yellow is the formal audit criteria (known as DRC). The first white column is the (work in progress) statement of conformance, and the second is explanatory notes. Some simple PHP is used to preserve the original printed presentation of the DRC, and also to record the work comments of the audit.
You will notice that the big red crosses indicate things that need to be done. Yes, there are too many of them!
As time goes on, I might get a chance to add more features than the static selections (checkboxes) and search box. (If there were a PHP programmer in the house this would go faster ) The PHP is located in the svn but don't get excited about the quality or quantity of it!
b. CAcert and I have now agreed on a Memorandum of Understanding for the audit, also located in the Funding svn archive. Nothing much has been done from inside that MoU, and this report marks perhaps one of the first events.
Note that these agreements require CAcert to report to the community roughly every 2 months on how the Audit progress is going. This report may be seen as part of that process, but reports from Audit are always written from a critical perspective.
c. You will generally find the Audit current situation on AuditToDo.
Previous and Next in series of reports.