• Iang

Iang

Formally, I am an Assurer, co-auditor and an Association member.

Dong!

Board purported to sack me with a document labelled Hearing. For the review of the entire community.

Doing

These are on my A-List:

1. Keeping an eye on Policy Group, helping the policies forward.
   • housekeeping: move new and existing DRAFT dox to the main website, and clean up.
   • handling the votes, checking the motions, reviewing the proposals

   • see who the heavy hitters on the Policy Group really are!

   • URL and terms tidyup in all policies

My involvement is far less intense these days.

My B-list is those things that don't directly effect the above priority, but I help when called upon:

• Board. As an appointed-not-voting member I try to limit my input according to these guidelines:
  1. watching that CAcert Inc itself is looked after in the eyes of OFT, and
  2. explaining past processes and history (below as well)
• explanation of history, etc, and pointing newcomers in the right direction

  • where "right" is a direction somewhat dissaligned with "left"

• assisting Assurance Team as and when...
  • I help with ATEs.
  • The assurance project leads to to an Audit over the Assurance (called the Registration Authority Audit in PKI-speak)

• aiming at our new Software Team

  • the final frontier - you too can be part of this

  • This was on my A-list, but it's slipped... see below with big push in 2012 summer.
• assisting the Arbitration, Assurance, Events, Education teams

  • a.k.a. making their lives hell

The C-list is those things that I'd definitely do if there were three of me, 34 hours in the day, and a bottomless pot of fine coffee:

• Critical Systems -- preparing for audit against Security Policy

  • This we should look at as an Audit over RA is closing.

• Disaster Recovery

• OA need documenting into their new Manual

The X-list is the things I am no longer actively participating in due to circumstances and time:

• Board - resigned at the AGM in late 2012.
• finance
• audit

Caught in the Act

• ATEs:

  • Sydney, Canberra, Melbourne, Brisbane.

  • Brisbane was split in two. The Intro also included the talk on Client Certs and a new talk on something else?

  • The two parts were captured in video: Intro - Making SSL Accessible and ATE proper.

  • following on from Prague, Budapest, Paris, London in 2009.

• Lightning Talk at Fosdem 2010 entitled "Client Certificates and SSO, the old-new thing". Notes that went with the talk. See also the Slides at ODP source and PDF output.

• plenty of Audit Presentations.

• October 2008, Invited talk at LISA08: An Open Audit of an Open Certification Authority", covers history of CAcert from 2006 to 2008.

Done!

• I did a risk analysis on the roots project. This was as an academic project leading to a Dipl. Security & Risk Management.

• in (Northern) summer of 2012, I and an intern worked on the BirdShack project.

  • got the basic object and requests up and going in the Ouroboros framework. This was mostly the task of our intern.
  • Documented the above Orouboros pattern, a task that had been bugging me for many years. This was joint work with the intern.

  • Upgraded an Object database to support the REST/CRUD framework of the BirdShack middleware server. This was my work. The original ODB came from old corporate work, and was the authorship of Jeroen vG. The upgrade included software mirroring, better log distribution over files, replacements and deletions.

  • the BirdShack middleware server is in reasonable shape, but is somewhat useless without a frontend website to drive it, and backend signing servers.

• I worked on a community site called fiddle
  • collected 100s of questions in there for work on future challenges.
  • collected co-audit information.
  • held the risk-analysis processing.
  • it was also a testbed for many ideas.
  • unfortunately I was unable to maintain a working, up to date Linux distro, so it fell of the net. Maybe one day I'll get it up and going on my Mac Mini which is far more robust.
• Internal Audit work
  • I worked from mid-2009 until end 2010 to bring CAcert to a state ready for an Audit over Registration Authority
  • (This would be with a new external and independent Auditor.)
  • As of 2010, CAcert entered a state where such an Audit could be attempted.

• member of the committee a.k.a. Board from mid 2009 until late 2011 (whenever the AGM comes up).

• Programmed the management of Audit Criteria - project CrowdIt!

  • now available in at least demo status at CrowdIt.

  • CrowdIt is a programmed wiki- or blog-like approach where each Assurer can claim over each Criteria, thus distributing the work of making our audit disclosures, and providing the road map for Auditor.

  • If you can think of a better name, tell me

• Policy Blitz

  • CCS now in DRAFT

  • I've written Editor's Guide to Good Policy.

  • I've re-organised the policy area in this wiki. Next step is to go through all the other pages on the wiki and re-org them into the new arrangement. This is a project that was identified late last year, but I didn't have time for it then.

  • Yo! SP goes to DRAFT. Again.

  • and Policy Group reaches the milestone!

  • Happy days ... we now have a Root Distribution License in DRAFT, written by Mark Lipscombe. This replaces the old 3pv-DaL which I had written and developed over a long time, and the NRP's old document which has been struck down.

  • Helping to get the TTP back on track with the new now-in-DRAFT TTP-Assisted Assurance Policy.

• AGMs:

  • I've written the Diary for 2010 and the Board report parts so as to help the next Annual Report.

  • Minutes of the last AGM

• ATEs:

  • Over 2010-2011, I gave 4 in Australia: 2010 ATE in Sydney, Canberra, Melbourne and a rather wet Brisbane.

  • 2 in USA at Washington DC and also Rutgers, south of New York, period June 2011.

• I was temporary Support Team Leader from m20091116.2 to m20100222.1. During those three months I documented the processes at Team, introduced the Triage team, brought in new team mates, liased with Arbitration, and watched while the new team dived into OTRS. Zoom! This crew has overtaken me, so I step aside and hand over to Neo.

• Birdshack: I've started copying the doco from Innsbruck MiniTOP into our SVN repository.

(Note, this above list only covers the period after the Audit termination, mid 2009.)

History: the Audit

I undertook the role of independent auditor from 20060101 until resignation 20090612. So as to meet the requirements of Audit, this work involved (a) helping CAcert to prepare all of the policy documentation, (b) helping to change CAcert's structure, and then (c) conducting (part of) a review of operations against that documentation. Here are some highlights:

• I observed and helped on the design of a new membership and community structure for CAcert that would meet the diverse requirements of all stakeholders. This is now embodied in CAcert's foundation documents (CCA, PoP, DRP, NRP's old D a L).

• I was part of the Advisory that helped CAcert back on its feet throughout 2007.

• I participated in the TOP of September 2007.

• I was observer on many of the processes of CAcert, including ManagementSubCommittee, Arbitration and many mailgroups.

• To push the policies into gear, I have been a persistent poster on the policy mail group.

• In October 2008, I was invited to talk at LISA, in San Diego. I presented An Open Audit of an Open Certification Authority" (very long!). This is a good history of CAcert from 2006 to 2008.

• As part of Audit's review of Assurance, I travelled to many cities and directly tested over 100 assurers. These results were presented at 20090517 MiniTOP on Assurance in Munich, and may have inspired the creation of the co-audit concept and team.

• I observed the systems transition from Sydney to Vienna (two locations) and then to Ede, Netherlands.
• I have visited the BIT facility many times. The most recent was the first audit review visit, 20090507.

Early 2009, enough documentation and enough practice was in place for the audit proper to start up. Unfortunately, this created too much of a strain on the organisation, and the budget, and the audit had to be terminated July 2009.

For these and other reasons I can no longer work in the role of independent Auditor for CAcert.

My many pages on Audit provide a wealth of information on what to do next. See AuditToDo for the running state, HelpingCAcert for general ideas, or ask me. The big numero uno planetary most-wanted target for Audit is: Software. Coming to a conclusion near you. apply now for your ticket.

Other stuff

• long-time poster now lurker on Mozilla's crypto / policy groups. I helped Mozilla to write their CA policy.
• BSc(Hons) in computer science from Uni. NSW, the spiritual birthplace of Australia's Unix tradition. I spent much of the period up to 1995 doing Unix work of one style or another.

• MBA from London, 1996. Lots of finance, marketing, econ, HR, etc.

• Dipl. Security & Risk Management from ASEC in Canberra.

• From 1995, I got into Financial Cryptography and as architect and builder of money and finance systems. Good solid crypto stuff, solid (and I do mean solid) messaging, OOdles of Java, with some Perl and PHP.

• writer of various papers published in various forums.

• critic of PKI on both an observations level and a more serious survey in a paper form.

• I've lived in about 8 different countries across Europe, Americas, Australia, and there's still time for another 8 or so.
  • Now checking out Africa, working on a WoT/money/android project.

• I was part of Sonance, a foundation of artist-techies, which had a supporting role helping CAcert's hosting December 2007 through September 2008, and now provide a test VM.

CategoryHomepage