## page was renamed from AuditToDo
 .'''THIS PAGE IS MOST LIKELY OUTDATED'''
----

= Audit To Do =

== Intro ==
 * Update Oct 2010
 * New Roots has been created end of 2008, but failed Audit. So this process needs a action replay.
 * Software has been splitted into 2 paths: Old Software - Set to maintenance mode - New Software - New design, Project BirdShack. Both projects are running in parallel.
 * NRP's old --(D a L)-- was replaced by RDL in July 2010.  See [[Policy/RootDistributionLicense|action page]]
 * See also [[http://blog.cacert.org/2010/10/489.html|The Great Big Masterplan to become Audit Ready]]


----

Stuff that is '''Complete''' is now in [[Audit/Done]].  Each item below moves there when complete.

== Audit-1 Closure Tasks ==

List of tasks that I have to finish off to get closure on the audit.

||Task ||Status ||Comment||
||Recommended list of audit tasks || new board / SGM || A prioritised and named list of tasks as a work programme.  This was more or less dominated by board priorities (finance, data prot., infra-hosting) and in detail was not done. ||
|| brain dump || new board || done informally with new directors over skype ||
||DRC || server down || bring the DRC browser up to date so the criteria can be considered an accurate record and/or move it to a better platform ||
|| Systems || next || document the preliminary findings, next steps.  see above, over-swept by board priorities. ||
|| Finance & support || ... || document all the in-kind and help for the audit process ||
|| Cleanup Doco || ongoing || wiki, SVN ||

== Outstanding Tasks ==
This is the list of things that are outstanding following the path of the first DRC [[http://wiki.cacert.org/wiki/Audit|Audit]]:

||Task ||'''Who''' ||Status ||Blocking ||Since||Comment||
||Assurance Review||[[Audit]]|| ATE 2010 tour ||.||20100101|| Review of Assurance but requires co-audit data. ||
||Notifications||Board + Wytze||Board has requested||Assurance Review||20070830||notify  all Members of CCA.  See [[RolloutCommunityAgreement]] ||
||Software Changes to Website||Board [[Software/DevelopmentTeam|Software]]||???||Assurance Review||200806xx|| b. add checkboxes "I agree to CCA." to cert creation; c. drop wrong/out-of-date contract text; See [[RolloutCommunityAgreement]] ||
||[[Software/DevelopmentTeam|Software]]||Board (PD)||rebuild||DRC-C||20090520|| need to review the Software Development progress - did first complete patch to SP 20101005? ||
||Systems - Disaster Recovery|| [[Board]]|| ... || DRC-A ||200905xx|| pending||
||Systems - Backups|| [[Board]]|| ... || DRC-C ||200905xx|| pending||
||Support expansion ||[[Brain/Support/TeamLeader|support t/l]]|| in progress || ... ||201002xx|| complete ||
||[[https://svn.cacert.org/CAcert/Policies/SecurityPolicy.html|Security Policy]] to POLICY || [[Brain/Support/TeamLeader|support t/l]], sysadm + policy group || to policy group || ... ||20090327 ||taken to DRAFT, some mods needed||
||[[http://www.cacert.org/policy/CertificationPracticeStatement.php#p4.2.2|Domain / email verification]] || Board [[Software/DevelopmentTeam|Software]] || policy decision made ||CPS||20081224||needs to implement new [[PolicyDecisions|p20090105.1 domain/email decision]] ||
||Root documentation||Board [[Roots/NewRootsTaskForce|nrTF]]||incomplete||DRC-C||20090508|| review of roots in visit #1 found lacks in documentation and protection ||
||Test New Roots||Board [[Roots/NewRootsTaskForce|nrTF]]||wip||DRC-C||20081129|| testing of roots ||

 * ordered roughly in order of importance, and '''bold''' signifies urgent
 * wip=Work in Progress, DRAFT, POLICY are explained in [[http://www.cacert.org/policy/PolicyOnPolicy.php|PoP]]
 * Draft Polices are listed at PolicyDrafts

== Future, ongoing ==

Things that were either deliberately deferred in last Audit, or are routine and regular.

||Task ||'''Who''' ||Status ||Blocking ||Since||Comment||
||Assurance Work Plan|| Ulrich||basics in [[https://svn.cacert.org/CAcert/Assurance/Minutes/20090517MiniTOP.html|mini-TOP]]|| future audits ||20090517|| mini-TOP in Munich laid out the basic problems that Assurance has to deal with over next year ||
||Review of WoT Exceptions - OA, SuperA, [[ThawteNotary|TVerify]], ... ||authors|| only blocking themselves || DRC-C|| || Some of these are being wound-down so may be scrapped by time Audit gets to them ||
||[[AssuranceHandbook2|Assurance Handbook]] ||[[AssuranceOfficer|AO]]||wip || . || 2006-06... ||Needs to incorporate all from [[http://www.cacert.org/policy/AssurancePolicy.php|Assurance Policy (now DRAFT)]]||
||[[http://www.cacert.org/policy/CertificationPracticeStatement.php#p3.2.3|CN= for OAs]]||policy||decided||CPS||20060101||policy decision is that all info is verified;  now need to fix CPS ||
||[[AuditPresentations|Community Reports]]||CAcert Inc and/or [[Audit]]||wip|| next milestone || 20071226||Ongoing requirement from NLnet.  Last from Audit was [[Audit/CommunityReport20090623|June 20090623]]||
||[[OrganisationAssurance]] review||board||deferred||.||20081003|| resolve [[PolicyDrafts/OrganisationAssurance|policy questions]].  Document practices, add verification. Do we need a [[OrganisationAssuranceManual]]? ||
||OA root||[[Roots/NewRootsTaskForce|nrTF]]||OAP||.||20081003|| Create one Assured Organisation subroot.||
||Member root||[[Roots/NewRootsTaskForce|nrTF]]||email/domain checking||.||200801xx|| as per DRC.  Create one Member subroot.||
||Webtrust criteria||Auditor||Deferred|| || || Working on DRC only for now, although Board has requested a comment on switching.  Also look at ETSI. ||

----
CategoryAudit