times in UTC+11 [8:05:42] ok - i'll chair. lets get going . meeting started ast 22:05 [8:05:47] am here. but actually otherwise busy... [8:05:57] lambert? [8:06:07] mark will not come [8:06:11] appolgies in from mark [8:06:29] lambert = Q [8:07:18] point of order - 4 board members oviously active - calling that a quorum [8:07:38] 1.2 accept previous minutes? any alterations? [8:07:39] yes we have a quorum [8:07:57] any objections? [8:08:14] Hi all [8:08:16] I have no objections, move we accept [8:08:33] aye on accept (hey i wrote them ) [8:08:38] aye [8:08:39] aye [8:08:48] and aye [8:08:58] 1.3 progress on action items [8:09:14] point of order: now president is here, do we wish to change the chair? [8:09:22] Excuses, I have 23.00 in my schedule [8:09:23] I have no objection to carrying on! [8:09:30] (Lambert) [8:09:41] So sorry for being late [8:10:04] ok - don't know were mark is up to - i did sign the financial lodgement statement. [8:10:57] mark agreed to write a oophanga letter and i don't think we've given enough of a board direction - lets revist board/community goals on list [8:11:04] Regarding chair: dan, could you please continue, will pick up next meeting [8:11:13] ack [8:11:32] we'll carry th unfinished action items over. [8:11:38] what is the "financial lodgemeent statement" ? [8:11:59] lodging to the office of fair trading our balance sheet [8:12:05] iang - we have to fill in a duty of the public officer [8:12:19] iang, after an agm [8:12:29] i signed on behalf of the board - its all with mark now. [8:12:32] iang, as usual in real life [8:13:01] ok, but when you say "signed", does the OFT accept it signed by someone other than PO? [8:13:08] or is this an electronic delivery? [8:13:18] iang, yes [8:13:25] iang, yes [8:13:29] it has to be siged by two board members as well. I signed a paper copy [8:13:46] lets ask mark for the full details later [8:13:50] ok [8:13:53] dan, you can also do electronic-way [8:14:14] 1.4 - board-private-list summary - can we have a volunteer for that? [8:14:48] I'm still wondering about this list 1.3 [8:14:54] Dan, questionL what about the Oophaga letter (part of 1.3) [8:15:10] ok back to 1.3 [8:15:16] do we have any comments from Mark about actions completed? I have pinged him about it and got an indication that he was busy [8:15:26] and ...Mark inherited the lion's share here. [8:15:52] mark was to write something however given it was giving cacert direction and not much has been said about this years goals [8:15:54] other point, we haven't spoken last time about the next steps [8:16:04] ernie: nod [8:16:15] Q1 [Q@k30092.upc-k.chello.nl] has joined #board-meeting [8:16:33] dan above says: "mark agreed to write a oophanga letter and i don't think we've given enough of a board direction - lets revist board/community goals on list" [8:16:51] (SORRY, CONNECTION PROBLEM, WHAT DID I MISS?) [8:16:54] iang, that is what I'm thining [8:16:58] (sorry for caps) [8:17:09] I agree with that, I don't think we can do much else. What I would suggest is that someone copies the annual report comment on "future" and we start from there? [8:17:23] iang, a little bit less [8:17:42] we have once to define this steps - and this now - not in six month [8:17:51] (missing lines sent to Q in private chat) [8:17:56] Q [Q@k30092.upc-k.chello.nl] has quit IRC: Ping timeout: 180 seconds [8:18:17] well, that would be in response to the starting point [8:18:43] e.g., we copy what was said in the annual report into a mail to board list and then start commenting. Another possibility is to start a wiki page on it. [8:18:51] yep good starting point. ACTION all - do last action item - comment on board direction in the next 5 days [8:18:58] i really don't mind how it is done, just suggesting a way to start [8:19:10] iang - prefer wiki - btter to follow up [8:19:17] ok [8:19:31] so that's the Oophaga letter. [8:19:52] the response to them that they send to us last year [8:20:21] is there any news on payments, payment facilities, signatories, bank statements? [8:20:33] mark is not here [8:20:47] I haven't heared something [8:20:56] so, no news. OK. [8:20:58] iang, did he made your payment [8:21:04] lets get mark to fill out the action item table later. [8:21:18] actually this I don't know, haven't looked in to the bank account, I've also been remiss on this. [8:21:20] statements he sent to me [8:21:25] any other action item discussions? [8:21:33] ah so statements are complete. That's one checkbox. [8:21:53] yes, one more: letter to former public officer? I'm guessing no action? [8:22:01] s/action/news of action/ [8:22:11] don't know [8:22:18] lets get mark to fill out the action item table later. [8:22:54] ok - 1.4 board private summary - do have have a volunteer to do it? [8:23:06] ok, are we agreed to add the action item table to the procedure? I'm fine with it, it is very useful. [8:23:22] if mario's not looking i thinks its fair to voluneer him :-) [8:23:48] I could write a summary of board-private.. (if i got it right) [8:23:56] thanks :-) [8:24:11] since when? [8:24:12] law: the thing is to add a list of Date/Who/Subject only [8:24:19] law - last meeting [8:24:21] not a summary ... although I don't object if you do :) [8:25:09] 2.1 - payment authorities - iang you mentioned this in passing last meeting - i wasn't sure what this was about? [8:25:27] i'm not sure either, I was hoping you could clarify what that was :-) [8:25:50] in the text it was 'i'll talk more next board meeting' [8:25:56] it may be that following the rule change we the board have to formally authorise who in the membership can make a payment [8:26:05] we said, we will handle after the bank have done the "old" thing [8:26:19] because mark said, bank will be confused [8:26:19] it also may refer to Paypal, which we've not really discussed in a while. [8:26:20] we probably covered that last meeting - hope the bank buracrasy works [8:26:41] ernie:seems like the right way, first get it solved (the old way", then assign someone [8:26:44] ah. so this is the issue of adding more signatories after the bank has finally done its stuff. [8:26:54] Q1, agree [8:27:09] so it can be deferred to next meeting. [8:27:16] iang, we agreed this last meeting [8:27:18] ok [8:27:28] 2.2 agm resolution - cost of payment facilities [8:27:58] our costs are not to high [8:28:07] non-binding resolution asking us the board to look at it. I wrote this resolution so as to test the community's degree of unhappiness with the current situation. [8:28:33] ernie: it is the member's costs ... the paypal and transfer problems [8:28:35] what do you make of the result: agm20100130.5.1 Aye 23 Naye 10 (Abstain 7) [8:28:41] I guess one of us has to look into it and report back: current cost, cost of alternative. [8:28:51] iang, one is always paying the bank-fees [8:28:53] Both for CAcert, and for (majority of) members [8:29:15] Q1, I wrote already in the annual report [8:29:19] I would say that many northern hemisphere people would be more comfortable with a regional account. Paypal works for many, but I note that many members I know ask me to pay [8:29:48] iang, we have not so many volumina - [8:29:52] Q1: yes. I'm wondering whether we can also share the task out [8:29:55] you cann't split over the world [8:29:58] ernie: you already have such an overview? [8:30:27] Q1, I wrote already what us costs one transaction - in the report you see the fees for the whole year [8:30:28] in that ... one way to further test the feeling is to ask the people who are upset to do the research for us. [8:30:40] board can delegate this task, IMO [8:30:53] iang, you dont' agree with the solution we have now - thats my feeling [8:31:00] iang, think not [8:31:20] well, as a representative of the members, I hear lots who don't like it. [8:31:28] nb_ [nb@67-207-150-49.slicehost.net] has joined #board-meeting [8:31:30] personally I'm fine with it because I have an Australian account. [8:31:41] we get payments out of 31 countries - and this you cann't split over the world [8:31:43] nb_ [nb@67-207-150-49.slicehost.net] has set mode +o nb [8:31:45] nb_ [nb@67-207-150-49.slicehost.net] has set mode +o iang [8:31:46] <@iang> and I don't use Paypal. I sympathise with the complaints [8:31:47] nb_ [nb@67-207-150-49.slicehost.net] has set mode +o ernie [8:31:47] ernie: you included current cost, did it also include cost of an alternative? [8:31:51] nb_ [nb@67-207-150-49.slicehost.net] has set mode +o dan [8:32:03] nb_ [nb@67-207-150-49.slicehost.net] has set mode +o Q1 [8:32:17] <@Q1> ernie: if so, we can use that. I agree that adding accounts is expensive, [8:32:26] nb_ is only kind of here, have to leave for a special event at church in about a hour [8:32:33] <@Q1> ernie: so it's best to address this with numbers [8:32:33] <@iang> Sure, but around half of the members are in Europe, and this we can concentrate [8:32:41] <@ernie> Q1, the alternatives will costs us not less, but more work - somebody has to collect when we ahve to pay [8:32:55] <@ernie> Q1, and we have administrate [8:33:08] <@iang> Q1: nod. I think it is a matter of doing some research. If it is too expensive, then that's the time to deal with it, when we have numbers on the table. [8:33:09] nb_ would be in favor of opening a US account, although that wouldn't really gain a whole lot since wire transfers are expensive even sending to another US bank [8:33:47] <@ernie> other point is, cacert cann't open as cacert all over the world accounts [8:33:52] <@Q1> iang: it's my expectation that it will cost a lot (and as such I agree with ernie) but we'll have to "show the numbers" [8:33:58] <@ernie> we haven't a location in several countries [8:33:59] ernie, why not? [8:34:04] <@iang> nb_: that's the sort of comment we need, how much does that cost, and what's the most pan-USA account? [8:34:18] iang, my credit union is part of a network of shared branches that go all over the USA [8:34:19] <@dan> if we incur extra expences i'd be asking our membership to cover it/ [8:34:20] and it is free [8:34:23] <@Q1> nb: you need local precense [8:34:25] all we would have to pay is for checks [8:34:43] no banking fees as long as we don't write over 30 checks a month [8:34:58] no fees to us, rather [8:35:05] <@iang> hmm... checks are still common in USA? What is the deposit cost in all the various states? [8:35:13] <@dan> how much is an internalional t/fer cost? [8:35:13] <@ernie> nb, but we don't have a legal location in us [8:35:20] <@Q1> nb: who would be able to provide such info? [8:35:36] <@ernie> dan, depends from the country and bank and which kind of transfer [8:35:37] <@iang> i don't think a legal presence is needed to open a bank account in USA [8:35:41] iang, i don't either [8:35:45] <@iang> but it might have changed in the last few years [8:35:46] <@ernie> iang, it is [8:35:51] <@iang> dunno, need to check [8:35:59] <@iang> ernie: ok, do you know when that changed? [8:36:07] <@ernie> iang, as in other countries too if you have an account as cacert [8:36:17] ernie, iang Q1 dan does anyone object to me asking one of the bankers for more info? [8:36:24] <@Q1> In general, I guess the best way to address this is to come up with an overview, showing what is possible and what not (for instance: an account in a country where we have no legal precense) and the costs of all the alternatives [8:36:48] <@iang> nb_: I agree, research is good. Q1: yes [8:36:51] <@ernie> it is a business-account and not a private account [8:36:58] <@dan> nb: by all means get more info [8:37:19] <@Q1> Yes, make sure whoever checks is checking for a business account [8:37:25] <@ernie> and other point, how easy you could transfer from a business-account USD to an other country [8:37:44] we would need a mailing address in the US (which could be provided by a cheap PO Box which costs about $40/year [8:37:46] <@dan> do we have a cacert-eu association that can wire us money on behalf of joint members when needed? [8:38:04] and if i, or whoever is in charge of the US side, is no longer involved, mail can be forwarded for a 1 yr period for free [8:38:07] to another US address [8:38:08] <@ernie> Q1, without legal location in this country! [8:38:09] <@iang> dan: yes, there are 3-4 possibilities [8:38:22] <@dan> cool - can you ask them ? [8:38:22] <@iang> Oophaga, secure-u in DE, Sonance in Austria [8:38:45] <@ernie> iang, ahh - we put on other accoutn our money [8:38:46] <@iang> Oophaga: is something we should put into the letter to them. [8:38:59] <@dan> would there be much overlap in membership there? [8:38:59] <@iang> Sonance would be amenable to helping out, I think. [8:39:01] <@ernie> we have no controll on such accounts what people really paid in there [8:39:06] <@iang> Secure-u is somewhat quiet and uncertain. [8:39:22] <@ernie> accounts not in our name, are not leagal binding to us [8:39:27] <@iang> ernie: right, these are all discussions to be had [8:39:40] secure-u exists. but is kind of inactive - lacking active members i think. [8:39:48] <@Q1> Sorry, I have to agree with ernie, we cannot just rely on others to provide financial services, that will be frowned upon [8:39:49] <@dan> we'd want them to t/fer to us when memberships are finalised. [8:40:10] <@iang> in technical terms there is little difference between Oophaga and Sonance ... they are either very close to CAcert or slightly close to CAcert ... but they are *NOT* CAcert [8:40:34] <@iang> Q1: sure. just answering Dan's question as to what's out there :) [8:41:06] <@ernie> Q1, we cann't do this - is no way [8:41:06] iang, dan Q1 ernie law I am semi-here right now, must go outside for a minute, will check back in shortly [8:41:10] <@dan> just looking for options without an adminstrative or financial impeedance that goes some way to forfilling need [8:41:11] Would a german account be an option? I would get some information then. What AU bank do we actually have, was it westpac? [8:41:24] <@dan> yes - westpac [8:41:32] FYI credit union I use (and has good business accounts too) is http://www.etfcu.org [8:41:41] they are part of the CU Service Centers network which is nationwide [8:41:50] <@iang> so ... shall we take it offline and confer when we get more info? [8:41:57] <@Q1> This discussion is good, but not getting us answers. Do we have volunteers that can report back next meeting? [8:42:03] <@ernie> and we are speaking about 250 transactions per year - average - mhh forgot [8:42:05] Q1, yes, i will look into US options [8:42:29] Deutsche Bank has good contracts with westpac I think - at least for withdrawing money with card at westpac. [8:42:41] <@dan> ok - nick for us options. [8:42:48] <@ernie> law - not really - only transaction bank [8:42:59] <@ernie> westpac has only in london [8:43:01] <@Q1> Ok, NB to look into US options, law, iang, can you check for european options? [8:43:30] <@Q1> We'll then compare with data from ernie, and see what we're missing [8:43:41] <@Q1> I volunteer to lead this [8:43:56] <@dan> is utilising a third party organisation viable/desirable? [8:44:04] <@iang> Q1: I doubt I can do that so well as others, wrong languages on bank account sites ... but I can help to ask around. [8:44:15] <@Q1> That would be part of the discussion [8:44:23] <@Q1> iang: ok [8:44:39] <@iang> but I think we've established the basics here [8:44:40] <@ernie> dan - how you mean this [8:45:22] <@dan> is asking oophaga, secure-u in DE, Sonance in Austria to handle transaction something we even want to consider? [8:46:10] <@iang> dan: we can consider it ... but there are issues to work through. They might have to be members of the association according to one reading of the rules. [8:46:13] <@ernie> dan - no [8:46:14] <@Q1> dan: I'd say that is something ernie can look into from a legal point of view [8:46:23] <@Q1> I expect this to be an issue [8:46:27] <@iang> and there would need to be a contract and reporting as well [8:46:28] <@ernie> Q1, I must not look - I know :-) [8:47:06] <@dan> ok - that should cover it - few action items there. move on? [8:47:20] <@Q1> ok [8:47:29] <@dan> 2.3 support - ian [8:47:47] <@ernie> iang, you cann't handle with a contract [8:47:56] <@iang> I posted the notes here: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00070.html [8:48:45] <@iang> can we assume them as read into the minutes? or do I have to bomb the IRC with them :) [8:48:55] <@dan> please don't [8:48:57] <@Q1> I read them [8:49:51] <@dan> thanks for the background / plan. good to see what going on. [8:50:11] <@iang> small addition: add to 2.a, I think I can propose two new SEs, but I think I'll talk to Michael about this, pending 1. [8:50:39] <@dan> so you want Micheal Tänzer as team lead/ [8:50:40] <@dan> ? [8:51:02] <@iang> Yes. I've talked this over with Wolfgang and with Ulrich, and we're agreed on this [8:51:15] <@iang> Michael has done very well, he wrote the report for the team to the AGM report [8:51:29] <@ernie> reagrsing OTRS - since this system is new - where is description how the workflow from the support is in the system [8:51:38] <@ernie> and how does it comply to the SP [8:51:47] <@iang> he's also got lots of time over next 2 months as he is a student at Uni [8:52:02] RE: Keypersons list, I need to finish the excel spreadsheet i was making and emailing it out [8:52:10] i kind of forgot about it, my apologies [8:52:19] <@iang> OTRS: workflow description doesn't exist, this is 2.b [8:52:58] <@ernie> support challenge - which kind of challenge [8:52:59] <@dan> can we get team lead out of the way first - i'm happy for michael to be tl [8:53:01] <@iang> it is very needed in my opinion, I find OTRS hard to get into. But Michael and others haven't had as much trouble it seems [8:54:02] <@iang> comply to SP: the Security Manual needs to list the channels and tools used. there is a potential question as to whether the OTRS should be a critical system (hosted by critical team). [8:54:11] <@iang> I'm not so keen on doing that, but it's a question to ask. [8:54:12] <@dan> anyone want to put comments about michael here? Then put a resolution on the board voting system? [8:54:13] <@ernie> iang I'm expecting since we have changed from email to OTRS, that we have a description about the system and security about this system [8:54:42] <@iang> There is also a question on the table as to whether Triage people should be fully under Security Policy including with respect to ABC. [8:55:23] nb_ moves the Michael be appointed as support team leader and that iang's resignation as support team leader be accepted [8:55:24] <@dan> is that a policy group question? [8:55:26] <@iang> ernie: ok. we can put that to the team, and provide something [8:55:26] <@ernie> iang, who is admin for OTRS [8:55:36] <@iang> Nick and Mario are admins for OTRS [8:55:36] ernie, law, iang and myself [8:55:37] iirc [8:56:03] <@ernie> iang, and who will handle accesscontroll [8:56:04] right. bas stepped back. but have not heard from him anything till then. [8:56:15] <@iang> (ok, yes, I have an *application admin* account ... but Nick and Mario have the access to the underlying system I think.) [8:56:19] <@ernie> iang, rols and permissions on the system [8:56:48] iang, true [8:57:02] <@iang> technically, the SP says that critical system team leader is in control of access control I think from memory [8:57:20] <@iang> but at the moment, roles and permissions are: Mario, Nick, myself. [8:57:30] nb_ and law have access to the actual server, and law and iang and I have access to admin features in OTRS (like adding new users) [8:57:37] ernie, ^^ [8:57:46] <@ernie> iang, support has also different rols and permissions - who controlls [8:58:08] <@iang> do you mean, who controls the roles and permissions of user accounts? All SEs have that feature. [8:58:37] <@iang> SE== Security Engineer [8:58:41] <@ernie> iang, normally you have in a system different rols and permission to controll who has access to which [8:58:52] <@Q1> (just verifying: the OTRS is part of CAcert non-critical, right? Not like fiddle.it?) [8:59:02] <@ernie> and this must be written down - since at the support also private datas will behandled [8:59:14] <@iang> OTRS is a CAcert infrastructure system, yes. Not a community thing [8:59:37] <@ernie> iang, you are wmixing up something OTRS is used to handle support [8:59:56] <@ernie> iang, and is not only infrstructure [9:00:23] <@iang> i don't follow your question [9:01:20] <@iang> there is a basic set of instructions for adding the access for new team members (Triage and SEs) on the team leader's page [9:01:27] <@iang> https://wiki.cacert.org/Brain/Support/TeamLeader [9:01:47] <@iang> the fundamental assumption is that the team leader is responsible for managing who has access to the OTRS system. [9:02:24] <@iang> however the team leader's notes are a bit behind in this respect because OTRS is new. The team leader's notes will be updated as I hand the team over to Michael. [9:02:25] <@dan> is the otrs compliant with SP and SM? is there a plan in place to clarify Triage persons roles under policy? [9:03:11] <@iang> I do not know whether SP speaks directly to OTRS. It didn't really comment about the mail system ... either way we can look at this and report back. [9:03:34] <@dan> sounds good. [9:03:47] <@iang> Triage persons: in a debate to the policy group, I outlined how and why I was going forward to add Triage people without them being covered by ABC. There were no objections at the time. [9:04:11] <@iang> However, some have said we need to re-visit that. We can do that ... it's on the list somewhere [9:04:30] <@dan> thanks. [9:04:42] <@dan> any more support question? [9:04:45] doris [doris@85-127-106-15.dynamic.xdsl-line.inode.at] has joined #board-meeting [9:05:22] <@dan> 2.4 assurance [9:05:25] did we vote on the STL appointment [9:05:25] <@Q1> iang: do I understand correctly that you (or Michael) will update the notes on access? [9:05:29] nb_ made a motion for it [9:05:30] <@iang> Support Challenge: my vision here is to create a new Challenge alongside the Assuracen challenge. [9:05:40] <@iang> Q1: yes we will do that [9:05:50] <@Q1> iang: thanks# [9:05:58] <@iang> Chair: I think we still need a motion on the team leader [9:06:17] <@dan> ok - is that want nick made a motion for? [9:06:18] <@Q1> I second nb's motion [9:06:19] <@iang> I second Nick's motion [9:06:48] <@iang> perhaps I should abstain as it is about me [9:07:04] <@dan> motion: whos' in favour of michael tanzer's appointment as Support TLs? [9:07:14] <@dan> aye [9:07:17] aye [9:07:19] <@Q1> aye [9:07:25] <@dan> iang: i don't think you need to abstain [9:08:11] aye [9:08:19] <@iang> dan: yes, I know .. I'm not sure what is more anal here, abstaining or voting Aye to my own resignation & replacement :) [9:08:32] <@iang> Aye, for happiness and long life [9:08:40] nb [nb@delta.bebout.net] has quit IRC: Killed (nb_ (nb)) [9:08:41] nb_ [nb@67-207-150-49.slicehost.net] is now known as nb [9:08:51] nb [nb@67-207-150-49.slicehost.net] has set mode +o nb [9:08:54] <@dan> ok passed - next item [9:08:59] nb [nb@67-207-150-49.slicehost.net] has set mode +o law [9:09:00] <@dan> 3.4 assurance [9:09:03] <@dan> 2.4* [9:09:04] <@nb> law, sorry, forgot to op you too [9:09:08] nb_ [nb@delta.bebout.net] has joined #board-meeting [9:09:29] <@dan> this looks more of a community report - which is good. is there board business here? [9:09:31] <@iang> my notes offered: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00071.html [9:09:43] <@iang> yes, part 5 [9:10:04] <@dan> ok - thanks for the communtiy report - now 2.4.e..... [9:10:13] <@iang> I propose (and move) that we accept Sebastian's resignation as Assurance team leader, and thank him for steering the ship over the last year. Sebastian remains on the Assurance team! And, I propose we appoint Ulrich as team leader, formally Assurance Officer within the meaning of the Assurance Policy. [9:10:31] <@nb> second [9:10:34] <@nb> and aye [9:10:41] <@Q1> aye [9:10:41] <@iang> ah, misnumbered, 2.4.e == part 5 in mail [9:10:53] <@dan> aye - [9:10:55] <@ernie> aye [9:11:06] <@dan> (though I can't remember what the role includes) [9:11:26] <@nb> dan, one duty is requesting the temporary (or permanent) administrative increases of experience points [9:11:27] <@law> aye [9:11:30] dan: AP and policy work [9:11:33] <@nb> which iirc we have only used once recently for two people [9:11:34] <@iang> Assurance Officer? basically managing the exceptions, "super" assurance requests, etc. [9:11:39] <@ernie> is uli now event and assurance-officer? [9:11:50] <@iang> ah. [9:11:54] <@iang> darn, good point [9:12:09] <@dan> np - was an off hand comment - thansk for the info. [9:12:18] <@iang> missing element. We did lots of talking on this, and we want to propose Walter as Events officer. [9:12:20] <@dan> is there a problem being both? [9:12:43] nb sees no problem with being both [9:12:45] <@iang> Ulrich is supposed to be resigning as Events Officer [9:12:57] <@ernie> dan, not a problem - will only know [9:13:22] <@Q1> see no issue, apart from available time (but Uli seems to have enough :-) ) [9:13:25] <@iang> ok. thinking about this.. I haven't written anything up here ... so I'll signal that I'll propose this for next board meeting. [9:13:27] <@dan> iang: can postpone that to an out of band motion - i've no objection but no notice was given for it [9:13:35] <@iang> dan: correct [9:13:52] <@iang> and time is not really at issue here, the people doing the jobs are doing the jobs, and face no real blockages atm [9:14:08] <@dan> ok 2.5 software? [9:14:34] <@iang> notes by Dan on software: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00066.html [9:14:47] <@iang> notes by Iang on software: https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00074.html [9:15:21] <@dan> er - those werer the sysadmin ones [9:15:21] <@iang> ooops, wrong notes :-( apologies [9:15:36] <@dan> https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00073.html by iang [9:16:44] <@iang> also a report by Markus: https://lists.cacert.org/wws/arc/cacert-devel/2010-02/msg00010.html [9:17:28] <@dan> good - lot going on - good to see Markus making progress. [9:17:59] <@dan> board business here? [9:18:19] <@iang> Markus is now ABC'd. Dirk will be done soon (can't promise that, up to Arbitrator) [9:18:38] <@iang> question for board is whether we propose these people through as software assessment team members [9:19:12] <@iang> this is a complicated question that is discussed in 3. in that post [9:19:46] <@iang> basically, Philipp G should be doing this, but he hasn't the time. I spoke to him today, and he mentioned that he hadn't the time to advance any of these things in the last few weeks. [9:20:46] <@iang> the thing that we have to do is build a new software team with a new team leader who is capable of building / running a large, spread, complicated team ... PG isn't really the man for that job [9:20:57] <@iang> although he has done a good job holding the fort for the last few years. [9:21:24] <@iang> I don't see right now that we have a clear candidate so to some extent it falls to us as board to fill that role in [9:21:29] <@Q1> iang: ok, so what is now needed from the board? [9:21:54] <@iang> hence I suggest we think about appointing the new Software Assessment people as and when they are available. [9:22:23] <@iang> Today, Markus has gone through ABC. Next few weeks, Dirk. Others to follow [9:22:23] <@dan> assement - so basicly the gatekeepers to the production system? [9:22:28] <@ernie> iang, from which people we are speaking here? [9:22:46] <@iang> this gets us to the point where PG and Markus can then oversee the patches into the production system. [9:23:17] <@iang> people; Philipp G (now) and Markus W (proposed) as software assessment. [9:23:27] <@iang> Under SP we need to have two people to review the code patches [9:23:46] <@iang> dan: yes. [9:25:07] <@iang> other questions? [9:25:59] <@dan> nope - sounds fair that they review patches and pass the to the critical team for deployment [9:26:08] <@iang> Motion that Markus Warg, having completed the ABC check, be appointed to Software Assessment team, as documented under Security Policy. [9:26:13] <@nb> second [9:26:13] <@nb> aye [9:26:16] <@dan> aye [9:26:16] <@Q1> aye [9:27:10] <@ernie> aye [9:27:18] <@iang> aye [9:27:24] <@law> aye [9:27:39] <@dan> ok - next item 2.6 System / Crital /Infra [9:27:47] <@dan> Critical* [9:28:28] <@dan> a) good status report https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00074.html [9:29:27] <@dan> b) teams and growth [9:29:54] <@dan> i've answered my views on list [9:30:01] <@dan> https://lists.cacert.org/wws/arc/cacert-board/2010-02/msg00066.html [9:30:18] <@dan> c) -access team leader [9:30:36] <@iang> Wytze wrote in his annual report one line item, to grow the team. We discussed it briefly afterwards and didn't have a form conclusion. It could be seen as a general recruiting invitation .. to others like the ATE crowd [9:31:29] <@iang> yes, "access team". this is relatively new business for the board. Because of Security Policy, the transfer is in place "rules based". [9:32:03] <@iang> however in the past it was never really discussed ... probably because of events. [9:32:17] <@iang> I would suggest it is something to put into the letter to Oophaga [9:32:27] <@ernie> iang, in the past in an other way was worked [9:32:53] <@Q1> iang: please explain? You mean the discussion regarding who's leading the access team? [9:33:19] <@iang> and I'd ask them to discuss team leaders. Bas wrote me privately and volunteered himself .. I'd ask the other team members to agree to that first [9:33:39] <@iang> nothing about the Access Team was much discussed in the past. [9:34:03] <@iang> The Team was working, and working well, it was one of the first things that Teus set up. So there was less of a need to discuss. [9:34:33] <@iang> when I was reviewing systems in audit visit, I did review the Security Policy with Hans (access team member) and he was very happy with it and confirmed his agreement to me. [9:34:51] <@iang> I was planning to do the same with Rudi, Rudi, and Bas, but no opportunity. [9:34:57] <@dan> agreement of tl or transfer [9:35:16] <@ernie> iang, now we have also at the support a system and not only email,therefore a system more with access-controll [9:35:27] <@iang> Note that the access engineer's team did not put a report in ... i think this is because they didn't have a team leader :) [9:36:10] <@iang> dan: don't follow your question? [9:36:36] <@dan> ah -nm - misread the comment about Hans' happyness [9:36:56] <@dan> its referign to security polity [9:37:12] <@iang> agreement of transfer: this was discussed by the board ... there were some grumbles about it from Teus. I don't think he liked it. But in the end, the policy group voted the SP, and the Board voted at some point to back the Security Policy in full. [9:37:56] <@iang> one possibility is that Teus didn't really inform Oophaga board of this. So something to put in the letter. [9:38:34] <@dan> so our SP requires we control our AEs? [9:38:40] <@iang> ernie: not sure what connection you are referring to here. Support's OTRS is a fairly minor computing system in the scope of things. [9:38:44] <@iang> dan: yes [9:39:02] dirk_g1 [AndChat@89.244.99.55] has joined #board-meeting [9:39:18] <@dan> sounds reasonable. [9:39:20] <@iang> Security Policy was written to place all access control under SP section 1. which goes to audit. Which means the entirety of Access Engineers is under Audit [9:39:30] <@ernie> iang, each system which is handling datas must have a access - controll, sure not the same like crit.system [9:39:45] <@iang> so if CAcert outsources the AE team to Oophaga, that insources Oophaga into the audit. Which is a nuisance. [9:40:09] <@Q1> iang: couldn't that be handled by a SLA? [9:40:23] <@iang> ernie: granted, but we covered that in the earlier agenda point. Support team will look at it, document it and report back to board [9:40:53] <@iang> Q1: yes, as long as the SLA specifies the audit conducted on Oophaga, and the CAcert accepts that audit [9:41:09] <@Q1> (iang: I guess Oophaga won't be able to offer a SAS70 cert) [9:41:14] <@iang> e.g, a SAS70 [9:41:42] <@iang> (I'm not proposing that ... "e.g." ... what I'm saying is that *something* is needed.) [9:41:57] <@iang> (and, as an aside, Mozilla also thinks about that these days as well :) ) [9:42:00] <@dan> what does oophanga's control of AEs mean to them? [9:42:13] <@iang> them == the AEs? [9:42:27] <@dan> theamin meaning oophanga [9:42:37] <@dan> them meaning oophanga [9:42:55] <@iang> If Oophaga is in control of the AEs, Oophaga can order them to go in and do something to the servers. [9:43:30] <@iang> which isn't so much of a problem because we have the agreement with Oophaga; but that agreement isn't really strong enough for a CA and for an audit [9:43:33] <@ernie> I think we cann't outsourche this [9:44:05] <@ernie> then oophaga is in controll of the crit-sys as a whole [9:44:12] <@dan> ok - we'll propose to oophanga that it would aid our audit if we control them [9:44:34] <@dan> and probably a heads up to the AEs themselves [9:44:45] <@iang> right ... so an early decision was taken in 2007 to outsource this ... but we've essentially re-thought that [9:44:58] <@Q1> ernie: correct, you'd need a very strong agreement, one that is backed up by an audit statement, like for instance SAS70 [9:45:17] <@iang> I can say also ... the concept of Oophaga doing an audit was discussed .... and Teus was not keen on it. Moving the AEs was by far the most effective thing to do. [9:45:18] <@ernie> Q1, and an agreement is a sheet of paper only :-) [9:45:28] u601 [u60@p4FDCA0F1.dip.t-dialin.net] has quit IRC: Excess Flood [9:45:31] <@Q1> Seems our letter to Oophaga is going to be more and more important [9:46:05] <@Q1> ernie: SAS70 is more than just paper [9:46:06] u60 [u60@p4FDCA0F1.dip.t-dialin.net] has joined #board-meeting [9:46:16] <@ernie> Q1, Ok :-) [9:46:25] pemmerik [pieter@cc518889-b.hnglo1.ov.home.nl] has left #board-meeting [9:46:32] <@dan> motion: any objections to requesting the insourcing the AEs? [9:46:42] <@iang> well, it's already done [9:46:46] <@ernie> Q1, but important things you should better controll by yourself [9:46:54] <@iang> Security Policy rules them, and therefore they are now under our domain [9:47:13] <@dan> ok no disagreeent [9:47:20] <@iang> but: it would be polite to mention this in the letter [9:47:23] <@dan> next item? [9:47:34] <@dan> 2.6d - defer [9:47:53] <@dan> 2.6e incident and recover [9:47:54] <@iang> are we all agreed that we need to ask the Access Engineers for a discussion on the team leader? [9:48:19] <@dan> nick indicated earlier he needed to get a list together of contacts. [9:48:23] <@iang> also, there is 2.5 / 4. I'm agreed with deferring that [9:48:53] <@iang> ah, right, I'm on the wrong numbers again, sorry [9:49:03] <@iang> 2.6d - defer, agreed. [9:49:09] <@dan> i need to get the key contacts distribued automated [9:49:43] <@dan> cacert-roots list is kinda discussion root key control which we should be contributing towards [9:50:02] <@iang> dan: hear hear! [9:50:04] <@Q1> dan: what item are we at? [9:50:11] <@dan> 2.6e [9:50:16] <@iang> incident & recovery functions [9:51:18] <@dan> so far there 's been a few proposals on key control. i'll try to get them wikified this week so they can be compared. [9:51:29] <@Q1> good [9:51:52] <@dan> how about by the end of the week we all comment on the proposal so far and deliver some feedback to the list [9:52:22] <@Q1> dan: you have them wikified by end of the week, and from then on we have a week for comments? [9:52:32] <@iang> Dan: are you referring to this: https://lists.cacert.org/wws/arc/cacert-root/2010-02/msg00007.html [9:52:33] <@ernie> Q1, :-) [9:52:38] <@dan> ok - thats probably fair [9:52:52] <@iang> ah, ok to your wiki summary. good [9:52:57] <@dan> if that's my email sure [9:53:29] <@dan> (ff 3.6 breaks access to SSL renegioation which broke my access) [9:53:40] <@dan> anything else for 2.6.e? ian? [9:54:00] <@iang> no, this is fine. It's important to just read and be aware because big decisions are coming [9:54:07] <@Q1> dan: so you summarize/wikify, and from then on we have a week to comment? [9:54:12] <@dan> yes [9:54:19] <@Q1> ok [9:54:23] <@dan> or week from when i finish :-) [9:54:52] <@dan> 2.N-1a) - conflicts of interest - iang? [9:55:27] <@iang> The AGM's annual report, the voting on motions to change rules, and other discussions has led to several issues. The ones I have seen are listed in the agenda. [9:55:28] <@iang> None of these are "today, must resolve, urgent" but all are import [9:55:28] <@iang> ant. Smoke, but no Fire. Today. [9:55:28] <@iang> My hope is that by listing them, we can encourage those who are thinking about the to pick them up. [9:55:28] <@iang> (End) [9:55:58] <@Q1> Do we want to go through each item? [9:56:09] <@iang> I'm open to anything [9:56:11] <@Q1> Maybe just status update? [9:56:21] <@iang> but I expect we'll be happy to defer these items [9:56:56] <@dan> happy for a deferment here [9:57:18] <@Q1> given the time I move we defer [9:57:32] <@iang> s/2.N/2.7/ [9:57:58] <@dan> ok - 3 - question time? [9:58:10] <@dan> any questions from the digtal floor? [9:58:21] about 2.7 a + 2.d [9:58:31] <@dan> yes [9:58:47] CoI - I've started this point 'cause there is a problem in this area [9:59:00] <@dan> really? [9:59:25] started ABC interviews with Ian at fosdem ... this leads to points where CoIs are possible, people aren't aware of it [9:59:50] now the problem ... i.e. are Arbitrators also underlaying such a problem ? [10:00:14] SP / SM gives only advice for ABC to critical roles [10:00:28] but whats with other areas ? board, arbitrators ? [10:00:58] and how to start a CoI interview / discussion / or what ever else [10:01:09] if I had a CoI ... to whom I send this ? [10:01:16] who decides over it ? [10:01:21] where is the register ? [10:01:26] end [10:01:56] <@iang> u60: if you have a CoI, being who? Association Member? Arbitrator? Assurance Officer? [10:01:57] <@Q1> Officially only the board has to register CoI, and the secretary has to create a reister [10:01:59] <@dan> if arbitrators are not covered by a ABC then i guess its a policy question. [10:02:07] Arbitrator [10:02:21] <@iang> Arbitrator. OK, there is nothing in DRP about this ... [10:02:33] <@iang> so it falls to the Community, which is covered by Principles. [10:02:45] <@iang> I think all it says is "we declare our CoIs." [10:02:56] ok, but to whom ? [10:03:05] <@iang> :-) [10:03:12] <@iang> it doesn't say [10:03:27] who decides over a CoI one declares ? [10:03:27] <@Q1> I'd say given the official structure the secretary is the one to create/update the register [10:03:27] <@dan> as for ABC of the board - its an elected official so I don't this an abitrator can overturn the election of an offical [10:03:41] <@iang> "We reveal our conflicts of interest, for the community to judge. " [10:03:56] <@Q1> so that's where to declare [10:04:01] <@iang> hmmm, so one reading might be that you have to run around and tell each and every member of the community [10:04:07] <@iang> might keep you busy for a while :) [10:04:45] and whats with CoI's I'm not aware off ? [10:04:58] <@dan> for team leads i think its fair to report to the board as they were responsible for the appointment and delegation of function [10:05:08] <@Q1> u60: what do you mean? [10:05:08] this can be found only by discussion or thru an ABC [10:05:17] <@iang> Q1: that official structure possibly doesn't work for the community, so not the Arbitrators or others [10:05:43] <@iang> but I suppose if the Arbitrators agreed, we could combine the registries for convenience [10:05:47] <@Q1> iang: we would need some kind of register [10:06:03] <@iang> nod. [10:06:18] q1: and an official procedure [10:06:33] <@Q1> We had two proposals at the AGM, trying to explain in more detail what a CoI entails [10:06:41] <@iang> also ... a more important question might be ... who gets to browse through the registry? [10:06:44] <@Q1> but both did not pass [10:07:01] <@ernie> u60, what you mean with official procedure [10:07:20] <@Q1> (iang: yes, big issue: might be in conflict of data protection) [10:07:28] as DRP declares the arbitration procedure, a procedure for finding CoI can be established [10:07:55] <@iang> dan: overturning the election of an official, yes ... complicated, but given the rule change to refer all association disputes to our Arbitration ... i'm not so sure [10:08:11] <@dan> ok - nick want to write up a procedure [10:08:30] <@iang> Q1: well... our own privacy principles, I would think [10:08:30] i.e. interview over people in some areas ... with a defined set of questions ... the results in a CoI ranking ... the result can be added to the register or not [10:08:57] <@dan> or anyone? [10:09:03] <@ernie> Q1, data protection is the biggest issue - and who is responsible if something will happen with these datas [10:09:09] <@iang> there is this clear tension between: we are supposed to be a privacy organisation /versus/ we are supposed to be a security organisation ... [10:09:29] <@Q1> versus we're supposed to be open [10:09:35] <@iang> that too :-/ [10:10:00] <@Q1> We've had this discussion in the arbitration team meeting as well [10:10:28] <@dan> any opinion from there? [10:10:34] <@Q1> I guess starting with a list of potential CoI's as guideline might be usefull. [10:10:55] <@Q1> For instance: do you work for a spammer? [10:11:19] <@Q1> (sending signed spam emails will be the next step to bypass spam filters) [10:11:22] no, but should I ?-))))) [10:11:40] <@ernie> Q1, to give guideline is a good idea [10:12:00] <@dan> once you get to lists it becomes all rather involed. i'd be happy with a guideline defination as to what a COI is and its procedure [10:12:05] <@iang> Q1: as against a list of roles ... I put an example matrix on https://wiki.cacert.org/AGM/RuleChange/ConflictOfInterest [10:12:50] <@iang> we have at least two firm stakes in the ground: Security Policy and the new Associations Act [10:13:09] <@iang> establishes for the security people, and for the association [10:13:39] <@dan> s/association/board/ [10:13:43] but what's with the others ? i.e. Arbitrator but no Inc member ? [10:13:53] <@dan> our rules define it for the association membership [10:14:22] <@iang> so possibly we need to figure out where on the ground Arbitrators exist in that arrangement, and Board directors, in comparison [10:14:29] <@iang> dan: was it board? ah ok [10:14:37] <@dan> the Act - yes [10:14:49] <@iang> so there is just a question as to whether we strengthen the CoI regime for board or not. [10:14:58] <@ernie> dan, right [10:15:28] <@dan> I think the Act is pretty clear for the boaard [10:15:43] <@dan> it even defines procedues [10:15:57] <@iang> the repeated rumbles (in the sense of frequent rule-change attempts or writings) from the membership indicate that this is a question. [10:16:02] <@dan> we do need produres for community TL and association though [10:16:05] <@iang> where is the Act clause? [10:16:44] <@iang> The Act was fairly clear, yes. But the Act was written for a footy club, not a CA. [10:17:25] <@Q1> exactly. It's not always clear what would constitute a CoI. [10:17:53] <@iang> but ... to be pragmatic about this ... I'm keen to see where the Arbitrators take this. They may be able to act more clearly and easily, before the other parties [10:17:53] <@Q1> Because some think it not only includes competitors, but also natsec. [10:18:32] <@Q1> iang: hmm, it was an interesting discussion, but no firm answers yet... [10:19:16] <@Q1> Mr. chair: what is the conclusion? Is there an action? [10:19:32] <@iang> to some extent the absence of Arbitrators from ABC is historical. the old Security "practices" were that "core team" where background checked. And we simply wrote those roles & requirement across as is. [10:19:59] <@iang> but Arbitrators were a new development from the post-core-team days ... so never got background checked [10:20:25] <@iang> (just a remark ... I'm not proposing ABC for Arbs.) [10:20:28] <@Q1> iang: that's because contraire to the support group, the arbitrators basically could do nothing without support (no data access) [10:20:43] <@iang> yes ... they had their dual control already. [10:20:59] but may have wider power then expected [10:21:15] so arb's are also in the focus of public [10:21:16] <@Q1> u60: agreed, but otoh everything is in the open [10:21:22] and in a sensitive area [10:21:33] <@dan> Any board volunteer to write up a COI procedure for board approval? [10:21:47] ok, whats with childporn and politicians ? [10:21:47] <@iang> personally I don't think we're there yet [10:22:02] <@Q1> u60: I don't like either... [10:22:13] <@iang> we don't appoint those so we don't need a policy ... I hope :) [10:22:26] ;) [10:22:44] <@dan> on - uli - you wanted a procedure - lets try to get you one [10:22:48] [RAW]: son /ok/ [10:22:54] <@dan> s/on/ok/ [10:23:02] <@iang> I saw a comment on an application form recently: "Do any of your relatives have a public position or profile?" or some such. [10:23:24] as a sidenote ... if we establish a open CoI procedure, this will be visible to the public, and the fear the last boards has, about overhelmed by other commercial CA's maybe banned thru this [10:23:25] <@iang> i guess start a wiki page? [10:23:31] <@Q1> What type of job are you applying for? ;-) [10:23:49] <@iang> Q1: one that would have required a declaration of a conflict ;-) [10:24:39] <@Q1> u60: I'm afraid it won't work like that [10:25:06] <@iang> well, I think the guidelines is likely public. [10:25:08] <@iang> no? [10:25:50] <@dan> discussion can continue on a list somewhere. lets close this meeting [10:26:03] <@dan> volunteer to write up minutes? [10:26:04] i have 2 more questions ! [10:26:15] <@dan> i hope they are quick [10:26:15] 2.7 d audit work [10:26:43] with the root keys motion ... is there expected to get the audit running before end of this year ? [10:27:27] last root key ceremony was under auditors view [10:27:28] <@dan> that seams to the the implying goal - we've all got an oustranding action item to confirm that [10:27:34] <@iang> i don't think the new root key holds us so up on audit [10:27:52] ok [10:28:21] <@iang> u60: root key ceremony being under audit view is not an audit requirement, generally. It is actually a rather dangerous thing to require that [10:28:25] q2: arbitrators ... we have about 60 open arb cases and we've lost again 2 abritrators to board [10:28:46] <@iang> we need new Arbitrators! [10:28:51] <@dan> we've all got to define the goal of the board/communit this week - include what you think about new roots and audit there too. [10:29:02] <@dan> last question uli? [10:29:02] <@iang> dan: point [10:29:24] so the current working board motion boardmember vs. arbitrator is a blocking factor [10:29:40] we've discussed this in the arb team ... [10:29:58] <@Q1> regarding arbitrators: we're starting to get some of the "standard" disputes solved by using comparable rulings [10:30:09] we had much arb cases, where arb=boardmember can handle w/o CoI [10:30:14] <@Q1> That will help process more disputes [10:30:27] <@dan> the abitration policy already has a COI policy [10:30:38] <@dan> i don't think its an isue [10:30:59] <@iang> then, put it on the agenda for next meeting to debate this and perhaps overturn the motion? [10:31:12] <@dan> sounds like a good resolution [10:31:13] from community to get in new arbs is a long time solution ... but we need arbs now ... [10:31:37] <@iang> i think there is a tension between Arbitrators working on Arbitration and Board Members working on Board ... [10:31:55] <@dan> can the abitration community define their priorities to get more arbitrators? [10:32:07] <@Q1> Yes, we will [10:32:14] <@Q1> (spoken as DRO) [10:32:20] ack [10:33:04] 1. arb that are also board members ... be able also doing arb cases that doesn't conflict with board member work [10:33:23] <@dan> uli would you like to volunteer to write up the board minutes for today? [10:33:27] <@iang> there is a bit of a race between Support and Arbitration to recruit the best members [10:33:31] 2. triage -> support -> Case Managers -> Arbitrators path [10:33:40] <@iang> but we consider it a friendly race :) [10:33:50] <@Q1> no we don't ;-) [10:34:14] <@iang> Q1: according to the rules that I wrote for the race, Support comes first ... both times ;-) [10:34:19] dan: this was my last point ,-) [10:34:30] <@iang> Rule #1: triage -> support -> Case Managers -> Arbitrators path [10:34:35] <@iang> :-D [10:34:39] <@dan> i was hoping - thanks for asking. [10:35:03] <@dan> meeting closed at 23:34