Audit To Do

Intro

Update Oct 2010
New Roots has been created end of 2008, but failed Audit. So this process needs a action replay.
Software has been splitted into 2 paths: Old Software - Set to maintenance mode - New Software - New design, Project BirdShack. Both projects are running in parallel.
NRP's old D a L was replaced by RDL in July 2010. See action page
See also The Great Big Masterplan to become Audit Ready

Stuff that is Complete is now in Audit/Done. Each item below moves there when complete.

List of tasks that I have to finish off to get closure on the audit.

Task	Status	Comment
Recommended list of audit tasks	new board / SGM	A prioritised and named list of tasks as a work programme. This was more or less dominated by board priorities (finance, data prot., infra-hosting) and in detail was not done.
brain dump	new board	done informally with new directors over skype
DRC	server down	bring the DRC browser up to date so the criteria can be considered an accurate record and/or move it to a better platform
Systems	next	document the preliminary findings, next steps. see above, over-swept by board priorities.
Finance & support	...	document all the in-kind and help for the audit process
Cleanup Doco	ongoing	wiki, SVN

This is the list of things that are outstanding following the path of the first DRC Audit:

Task	Who	Status	Blocking	Since	Comment
Assurance Review	Audit	ATE 2010 tour	.	20100101	Review of Assurance but requires co-audit data.
Notifications	Board + Wytze	Board has requested	Assurance Review	20070830	notify all Members of CCA. See RolloutCommunityAgreement
Software Changes to Website	Board Software	???	Assurance Review	200806xx	b. add checkboxes "I agree to CCA." to cert creation; c. drop wrong/out-of-date contract text; See RolloutCommunityAgreement
Software	Board (PD)	rebuild	DRC-C	20090520	need to review the Software Development progress - did first complete patch to SP 20101005?
Systems - Disaster Recovery	Board	...	DRC-A	200905xx	pending
Systems - Backups	Board	...	DRC-C	200905xx	pending
Support expansion	support t/l	in progress	...	201002xx	complete
Security Policy to POLICY	support t/l, sysadm + policy group	to policy group	...	20090327	taken to DRAFT, some mods needed
Domain / email verification	Board Software	policy decision made	CPS	20081224	needs to implement new p20090105.1 domain/email decision
Root documentation	Board nrTF	incomplete	DRC-C	20090508	review of roots in visit #1 found lacks in documentation and protection
Test New Roots	Board nrTF	wip	DRC-C	20081129	testing of roots

Things that were either deliberately deferred in last Audit, or are routine and regular.

Task	Who	Status	Blocking	Since	Comment
Assurance Work Plan	Ulrich	basics in mini-TOP	future audits	20090517	mini-TOP in Munich laid out the basic problems that Assurance has to deal with over next year
Review of WoT Exceptions - OA, SuperA, TVerify, ...	authors	only blocking themselves	DRC-C		Some of these are being wound-down so may be scrapped by time Audit gets to them
Assurance Handbook	AO	wip	.	2006-06...	Needs to incorporate all from Assurance Policy (now DRAFT)
CN= for OAs	policy	decided	CPS	20060101	policy decision is that all info is verified; now need to fix CPS
Community Reports	CAcert Inc and/or Audit	wip	next milestone	20071226	Ongoing requirement from NLnet. Last from Audit was June 20090623
OrganisationAssurance review	board	deferred	.	20081003	resolve policy questions. Document practices, add verification. Do we need a OrganisationAssuranceManual?
OA root	nrTF	OAP	.	20081003	Create one Assured Organisation subroot.
Member root	nrTF	email/domain checking	.	200801xx	as per DRC. Create one Member subroot.
Webtrust criteria	Auditor	Deferred			Working on DRC only for now, although Board has requested a comment on switching. Also look at ETSI.