[nycbug-talk] emails. ..

G.Rosamond george
Tue Jul 6 15:56:42 EDT 2004


there's two emails in here. . .

Begin forwarded message:

> From: Duane <duane at cacert.org>
> Date: July 4, 2004 1:29:22 AM EDT
> To: "G. Rosamond" <george at sddi.net>
> Subject: Re: [Fwd: Meeting Minutes from BOF]
>
> G. Rosamond wrote:
>
>> On Jul 4, 2004, at 1:07 AM, Duane wrote:		
>>> We have a fair bit to talk about... You might want to try and get 
>>> hold of some security guys to work out the full implications 
>>> expressed in the email I'm forwarding to you, I disagree with a lot 
>>> of it but I'm currently out numbered...
>>>
>> i browsed through it quickly. . .
>> what are your specific disagreements?
>
> Big one is point 9, issuing of sub-root certificates could get our 
> root cert excluded from any kind of inclusion with browsers, but other 
> ones are handling of data backups by non-security guys, last thing we 
> need is a data breach of any kind, even if they can't break the server 
> they just need to break a windows box one of these guys gets copies of 
> info to, again would reduce our chances for inclusion... I need sleep, 
> but yea, find your nearest paranoid security guy and ask his thoughts 
> on it...
>
>
> -- 
>
> Best regards,
>  Duane
>
> http://www.cacert.org - Free Security Certificates
> http://www.nodedb.com - Think globally, network locally
> http://www.sydneywireless.com - Telecommunications Freedom
> http://happysnapper.com.au - Sell your photos over the net!
> http://e164.org - Using Enum.164 to interconnect asterisk servers
>
> "In the confrontation between the stream and the rock, the
> stream always wins; not through strength, but through persistence."


Begin forwarded message:

> From: Duane <duane at cacert.org>
> Date: July 4, 2004 1:07:55 AM EDT
> To: "G. Rosamond" <george at sddi.net>
> Subject: [Fwd: Meeting Minutes from BOF]
>
>
> We have a fair bit to talk about... You might want to try and get hold 
> of some security guys to work out the full implications expressed in 
> the email I'm forwarding to you, I disagree with a lot of it but I'm 
> currently out numbered...
>
> -- 
>
> Best regards,
>  Duane
>
> http://www.cacert.org - Free Security Certificates
> http://www.nodedb.com - Think globally, network locally
> http://www.sydneywireless.com - Telecommunications Freedom
> http://happysnapper.com.au - Sell your photos over the net!
> http://e164.org - Using Enum.164 to interconnect asterisk servers
>
> "In the confrontation between the stream and the rock, the
> stream always wins; not through strength, but through persistence."
>
> From: "Christian Barmala" <christian at barmala.com>
> Date: July 2, 2004 12:13:12 PM EDT
> To: "Duane Groth" <duane at groth.net>, "Robert Cruikshank" 
> <robert at cruikshanks.net>, "Adam Butler" <adam at adambutler.net>
> Cc: "Teus Hagen" <teus at NLnet.nl>, "J. Wren Hunt" <wren at hunt.org>
> Subject: Meeting Minutes from BOF
>
>
Hi,

Hereby I send you the meeting minutes from yesterday evening. Duane 
suggested to publish it on our mailing list. I back this up, because it 
shows our openness and democratic structure, however I want to avoid 
miscommunication and fights in public, because this looks just 
unprofessional and statements which have to be revoked confuse our 
community unnecessary. There is nothing wrong with disagreement, this 
is democracy, but no personal attacks please. Therefore

A0.1 (all): I want a "yes" from you that what I wrote down following 
this preface is actually what we discussed or I want the corrections 
before we make this public.

Duane made a valid point that our decisions might be invalid, because 
we didn't communicate an agenda prior to the meeting to give everyone 
the chance to prepare. Therefore:

A0.2 (all): If anyone wants to fight these decisions because of formal 
errors, he should speak up now. Otherwise I ask you to give permission 
to the agenda after the fact.

Since the numbering in my notes and the numbering on the overhead 
projector was different and some topics have a relation that we didn't 
take into account when we set up the agenda, I took the freedom to 
renumber the topics. I also included some topics, which we discussed 
already over email. I hope this won't be considered a formal error.

Legend: A (who):= Action Item to be done by whom.

---- To be published ----

Boston, Thursday July 2nd 2004 following the BOF session we discussed 
some topics regarding the technical an organizational structure of 
CAcert.

1. Formalization of association rules

1.1. Proof of non-profit

Changes are necessary for taxation reasons. Duane suggested these 
changes via email, but we postponed it because preparation of Usenix 
had priority. These changes have to make sure: Members can't profit 
directly or indirectly from the association, if it is dissolved all 
assets are transferred to a similar non-profit assoc.

This might also touch employment laws, because if CAcert was a 
business, membership might count as 2nd employment.

We want a full review, not just the 2 topics spotted by Duane, because 
a change of the rules require a 100% vote and this will be hard to get 
once we have more members.

A1.1 (all): Review and discuss the Association Rules 
(http://www.cacert.org/legal/CAcert_Rules.pdf) + Duanes' Email within 2 
weeks and get an intermediate status (do we need more time? Which 
issues are discovered so far?)

A1.2 (Teus): Teus sends list with his current concerns until end of the 
week.

A1.3 (all): Once we settled how we want things to be, we will have it 
reviewed by an Australian Lawyer

(Teus mentioned a Californian Lawyer who might be willing to do some 
work pro bono. I suggest to save this opportunity for a review of the 
RFC2527 policy, once it's finalized, because the policy might touch 
many international issues while the association rules are purely 
Australian.)

1.2 Voting Structure

Who has a vote in which subject? No extra action, covered by A1.1

2. Financial reports

We have income from Google ads, PayPal donations, NLnet, shared 
infrastructure. Up to now, no one was explicitly appointed to be the 
Treasurer. The role was shared between Duane and Robert. We prefer to 
have someone responsible for this and Robert agreed to do this.

A2.1 (Robert): If Robert needs additional access or information, he 
will communicate this within 2 Weeks

A2.1 (Robert): Regular (once a quarter?) financial reports by Robert 
published on the mailing list.

3. Steering committee

Establishment of a steering committee consisting of non board member 
power of this committee to be determined

A3 (Teus): Partially covered in the rules, Teus will check it.

-- Shared access/control over the infrastructure by the board members --

4. Regular backups of server to multiple board members

4.1 The source is intended to be made public anyway.

Despite of the open questions to which extent dynamic content is 
covered by existing public licenses we agreed already, that we will 
start with a combination of GPL and FDL.

A4.1(Duane): Create a tar-ball of the relevant files.

A4.2 (all): Discuss to which extent a CVS makes sense. Teus and Wren 
offer their experience and advice.

4.2 The database and root cert to board members only

A policy has to be set up, what these board members may do with these 
assets and how the are obliged to protect this sensitive information.

A4.1(Duane): Come up with suggestions for such a policy within 2 weeks.

A4.2 (all): Decide who will be these members (Suggestion: Robert, Adam)

A4.3 (Duane): Technically implement the backup as soon as the policy 
has been agreed on.

5. Root access to 2 other directors

  Currently CAcert is a guest on Sydneywireless's server. Therefore only 
Duane has root access. By donation of Nlnet we will have our own server 
soon.

As soon as the new server is installed 2 Members will get root access. 
Currently this is not possible, because this is not our server. By the 
way: The 2nd machine, which holds the root cert and is only connected 
via serial link, is a Laptop donated by Robert.

A5.1 (Duane): In two weeks Duane will give us an intermediate status of 
the installation of the new server

A5.2 (all): Decide who will be these members (Suggestion: Adam 
Christian)

6. Physical access to the site.

The location is sponsored by Duane's employer. Usually no one external 
has access to the Site. Duane as an employee has access.

  A procedure has to be set up, how someone beside Duane can request 
access to the site, in the exceptional case when it should become 
necessary.

  A6.1 (Duane): Will document the organization that has physical control 
over the system, communicate contact information, communicate the 
procedure to send a representative. He will give us a progress report 
by 21 july

A6.2 (Christian): As soon as Duane documented this, Christian will put 
it into the RFC2527 policy template.

7. Domain name control to 2 other directors (Robert, Adam)

A7 (Duane): Within 2 weeks Duane will transfer domain ownership to the 
association.

Discussion among the user community

8. Privacy issues with government document copies

Is it necessary/beneficial to keep the documentation or are the privacy 
issues too high? It was proposed just to store a hash of some document 
data. It was also suggested to attach an expiry date to this hash, 
which would force users to reidentify regularly. It was also discussed 
how to handle organizations rather than individuals. Suggestion: 2 
board members of the organization have to be authenticated by CAcert 
and a copy of the incorporation statement has to be sent to CAcert. No 
decision has been taken. This is just a base for future discussion.

-- Duane had to leave the meeting, to care for our server, which has 
been slashdotted. --

9. Do we want to issue sub CA certificates?

The question came up, because our partner, eGroupWare, has a project in 
a large government organization. In addition several Universities 
approached us with this request. These organizations ran their own CA 
for years and thus cannot be convinced to give up this working solution 
and make them dependent on our web site. Although this raises several 
policy issues, we agreed on the statement: "Cooperation with other 
organizations is in the interest of CAcert and in line with our intent 
to provide a service to the community. We will decide on a case by case 
basis which benefits come fro the specific organization and to which 
extent their policy matches our policy."

A9.1 (Christian): Communicate to eGroupWare that we are willing to 
consider to issue them a sub CA certificate. Ask them to send their 
policy to CAcert for review.

A9.2 (all): Within 1 month after submission of eGroupWare's policy 
decide if we accept it or if not, what has to be changed. (The timeline 
might be extended, in case we have to prepare for another event)

---- End of Publication ----

I noticed that a lot of action items have to be done by Duane. This is 
because he founded the system and got everything running. The actions 
above are meant to share the control and unload some workload from him. 
As the one who coded the system he will still be the one with the most 
knowledge over the system and some work and information flow still has 
to go over his desk.

Special thanks to Wren for proof reading this document.

Christian





More information about the talk mailing list