Time in GMT+10 [07:01:01] dan declares meeting open now [07:01:02] my body has needs that don't submit to standards :) [07:01:13] Q asked me to chair [07:01:23] I've asked Dan to take the chair, since I am constantly sneezing and coughing [07:01:36] right [07:02:24] giong to leave accepting mintutes to out meeting motion [07:02:30] hugi [hugi@84-73-137-73.dclient.hispeed.ch] has joined #board-meeting [07:02:49] 3. taking minutes - ernie was volunteered last time - still possible? [07:03:19] 2.1 OA [07:03:23] i'm sorry, i don't understand that. some expressed last time that we preferred to have the minutes accepted in the meeting? [07:04:28] i'll need to reread. seems like a waste of time to me. any objections with minutes as written? [07:05:16] object on list if you do - out of band acceptance motion can be done. [07:05:19] it is just such an accepted part of meeting procedure that changing that should be taken with care ... i am not sure of the ramifications. [07:05:20] If I remember correctly, we discussed that minutes must be accepted before start of meeting [07:05:33] However, we can already vote to accept before meetong starts [07:06:06] i honestly haven't read them in great detail. [07:06:30] one ramification is that if the minutes are not accepted, it is hard to proceed with the next meeting (not that I can explain that in detail) [07:06:54] then, can we just move that the minutes of the last meeting be accepted? [07:07:09] second and aye [07:07:15] aye [07:07:16] naye [07:07:20] aye [07:07:31] aye [07:07:50] nb: here? [07:07:52] ok - motion to accept minutes [07:07:56] (question: mark and nick not here?) [07:08:36] naye from me so far as I don't see a list of action items from it [07:09:05] but i was going to look at that offline. [07:10:13] i'm unsure if the action items are part of the minutes or not ... i probably wasn't at the meeting where this was discussed [07:10:17] as ususal 9 minutes have been wasted so far in procedural shit so i'll get a motion done for the next three days - we'll accept the content for now and move on to2.1 [07:10:20] (which is why i did not copy them in) [07:10:34] more documenting from the meeting. [07:10:42] than carring them over [07:11:23] 2.1 OA - continueing from last meeting [07:12:36] iang: all yours - what about OA is it you wanted to decide on? [07:12:52] ok, my notes on the subject: [07:13:05] At last meeting, we found that any Organisation Assurer can by some means or other take over the CAcert account and issue certs for the main domain. [07:13:05] This is a hole in the security architecture. [07:13:06] Since then, 2 things have been done. The account has been declared critical by m20100404.4, and therefore now under Security Policy (assuming its efficacy). [07:13:06] https://community.cacert.org/board/motions.php?motion=m20100404.4 [07:13:06] Secondly, I have filed dispute to have the account blocked in some fashion, following SP. [07:13:06] https://wiki.cacert.org/Arbitrations/a20100404.1 [07:13:07] How it is to be blocked is an implementation detail as yet unknown. [07:13:08] What this leaves is 2 burning questions. [07:13:08] Firstly, we need a proper security response -- specialist advice, analysis, decisions, software patches, governance changes. We don't have that, at least not according to this case. [07:13:11] secondly, the dispute filed was an important one. under SP we need someone to deal with incidents and rule on any things outside the rules. This dispute did not get handled quickly, and as of the moment, it has no Arbitrator. This also suggests that Arbitration is in trouble. [07:13:11] (end) [07:13:55] I don't agree to block all OA [07:14:10] OA-assurer to be exact [07:14:41] so this is just CAcert's OA we're talking about [07:14:49] so against which policies are the current procedures? I do not see any problems... [07:15:00] you can also exclude cacert inc on the list, where the OA's fill in the assurances [07:15:34] dan, I understand, that there are all OA-assurers should be blocked [07:16:11] if we don't have the software analysis etc can we actually make a decision? [07:16:15] iang, from what you are speaking when you say "OA" [07:16:47] ernie: above i don't mention OA? [07:17:15] iang, dispute filed to block OAs ..... [07:17:18] Ian, if I recall correctly, every OA can request for other organisations, right? So not just the OA for CAcert, but also others? [07:17:58] Q, no - the OA-Admin cann't [07:18:04] Q: that is my understanding ... but I really don't know for sure. and there appears no way of figuring that out in any external policy sense [07:18:26] by OA I mean Organisation Assurance or Organisation Assurer [07:18:48] I don't think the O-Admin can add/change domains (from hearsay) [07:18:55] Iang: Which of those? This is an important difference... [07:19:15] O-Admin cannot add/change domains. [07:19:22] law:which of those in which question / context ? [07:19:27] law, right [07:19:49] Whether to block Organisation Assurence or Organisation Assurer is a huge difference. [07:20:02] from what said so far we don't even know what can/carn't be done. there's an abtration case to handle the fact finding and we can't make a decision without the facts [07:20:19] sure ... that is why I said "How it is to be blocked is an implementation detail as yet unknown." [07:20:46] When the dicussions started I sent some mails pointing the details of the possibilities out. Did they also go to the board lists? [07:20:51] and also, the "first burning question" ... we don't know how to do this, and this itself is a worrying issue [07:20:51] So, I think I have to agree with Dan: we don't exactly know, so we cannot make a decision> [07:21:07] but most of the problems you can solve, you exclude cacert inc on the list which OrgAssurer see [07:21:46] Q: I agree with that; we don't know enough. FTR, I'm not proposing any motion here, as I also don't know enough. [07:21:47] Iang: you also mention the arb case. [07:22:13] You mention Arb is in problems, because of the delay [07:22:24] ernie: is that something that can be done outside the Organisation Assurer's control? [07:22:34] Q: yes [07:22:41] iang, what? [07:22:44] I think I agree here, Will talk to the arbs this week [07:23:09] ernie: you said " you exclude cacert inc on the list which OrgAssurer" ... how is this done? who is in control of this? [07:23:27] iang, the list is a query - when you exclude cacert inc, nobody can change anything, because there are no access [07:23:29] Do we need an arbitrator to do fact finding, or can we do something ourselves? [07:23:51] iang, and a name and domain could be onyl added once [07:24:04] (seems Ernie has already done some homework) [07:24:05] Q: for what it is worth ... i think it is the old case of too many disputes and too many slow disputes clogging the system. But that's just my external view [07:24:07] i see no problem with us doing fact finding - however a board meeting time is not the time for it [07:24:37] This is a software change... But you cannot only change the query, you also have to block it when altering data [07:24:39] dan: correct. Can we assign someone from the board to create an overview? [07:25:00] iang: can we get a list of facts needed and request them out and send the summary to the board list? [07:25:11] aye [07:25:16] law, but you can only add once, otherwise you will see an error-message [07:25:17] agree [07:25:38] well, i think that is the arbitrator's job. I don't want to double guess the arbitrator. [07:26:01] agree with dan, I mean, board meeting is not fact finding time [07:26:08] ernie: even if cacert is just included from the overview list, I still can change the admin list by just exchanging parameters in the requests. [07:26:31] One remaining question, do we need arbitration to create an overview? [07:26:34] ok - 2.1. Old SP to our critical teams - mario [07:26:34] and I'm not the one to provide the facts; there is little doco about this area, and I'm not an OA so can't see into the system [07:26:56] But this is an issue software team has to deal with... [07:27:17] Q: i don't think so. What we need is for Arb to decide on the question of security, and rule on the issue of shutting something down ... where something is all, some, or nothing. [07:27:56] iang, how you can shut doen something, where you don't know how it really works [07:28:08] Do we - as board - need to do investigation here? [07:28:13] what board should be looking at is that overall, when we hit this security issue, then the response has been poor. [07:28:22] iang: someone can do fact finding, that would take away work from the arbitrator? [07:28:44] we should be looking at the interaction between the many areas involved, and trying to make sure the big picture of security is working well. Here, this time, it isn't. [07:29:26] ernie: turn the question around; how can the board, under all its obligations, permit something to run when it is a security-critical feature, and it doesn't understand how it works (or cannot find out) ? [07:29:59] we have to think audit-minded: if we don't understand it (or cannot figure it out) then audit will simply fail it. [07:29:59] iang: its not the right time if I'm reading what Q, ernie, law and myself are syaing [07:30:25] dan: think about how long you want to wait for a security hole to be cleared up :) [07:30:43] it's been 2 weeks .... and only now are we seeing a positive response on this from the OAs [07:30:50] there is definetively no security hole [07:30:55] arbitation was our fast reqponse but I can't see a clear statment there is one. [07:30:58] dan: we cannot solve it here, but we can make a decision how to go forward. Either assign someone to do fact finding, or wait for arbitration. [07:31:00] iang, you don't know how orga-assurance work [07:31:04] ok - 2.1. Old SP to our critical teams - mario [07:31:06] ernie: exactly. [07:31:08] law, agree [07:31:29] iang, but you are claiming a security hole - first you must know how it works [07:31:29] that is why i filed dispute, because there was an *apparent* security hole, and nobody rushing to explain why there is not one. [07:31:35] ok - 2.1. Old SP to our critical teams - mario [07:31:38] and iang you have received feedback from ernie and me on this... [07:31:44] dan, please hold on. [07:31:50] 2.1 [07:31:52] 2.2 [07:32:02] law, i do not believe ernie's comment has been seen by me at least [07:33:01] I move we assign someone to create an overview (Law might be best suited) to be sent to the arbitrator. [07:33:21] And leave it there and move to the next subject [07:33:34] and, it's just a comment. what we need is confirmation from the organisation assurance officer and documentation that this is the case. otherwise we're in the dark. [07:34:09] iang: Organisation Assurance Officer is board... [07:34:10] ok, i agree. I'll add it to the agenda for next meeting and we can pick it up there. [07:34:19] correct. and we as board don't know. [07:34:54] I'll put some more pressure on arbitration to pick this up [07:35:08] Q: thanks [07:35:09] (I guess that's all we can do right now) [07:35:19] 2.2? [07:35:24] please [07:35:32] agree to continue with net item [07:36:05] OK. I can do some investigations and summarize to board. But as I already declared my position I might be biased. [07:36:56] thanks [07:37:02] agreed to move on [07:37:15] Regarding 2.2: I talked to Wytze last week (regarding Oophaga letter) and he mentioned that at the moment they still see SP as leading to all they do [07:37:29] (they= system admins) [07:38:38] Thats good to hear. So my question is more if we want to rely on all teams doing so or to glue this into concrete. [07:38:58] dan still happy to rely [07:39:11] all support team members have agreed to SP, as far as i can recall, in email. [07:39:14] I guess your proposal to create a motion is a good step, formalisation of status quo [07:39:22] my understanding is, as long we don't have a new one, the old one is valid [07:39:37] motion to include *all* critical teams [07:39:43] so the issue of "non-binding" is more to others outside the teams [07:39:46] ernie: policy group voted to take it back to WiP, so it is not binding from my understanding. [07:40:39] law: I guess you're right: not officially binding for everyone, however, if you have agreed to SP, you are bound [07:40:42] the thing is ... there are some other reasons why we have to get the critical roles to agree individually to the SP ... so this was put in place a while ago ... and represents an equally valid "binding" status on them. But only them. [07:41:21] So what is if I agreed to SP and there is no SP? Is the old one binding? And what if there is a new SP? [07:41:21] so, question: do we *need* this motion, or is every member of the critical teams already bound? [07:41:45] or do they need to be? [07:41:47] there is a document, and it is well known where it is. what is the question is the status, not the document [07:41:47] law: newer version ovverrules the old one [07:42:26] where there might be a question is if someone proposes an alternate SP into the policy group ... or circulates a new SP-bis amongst the security teams. but that hasn't happened, and i see no reason to guess that it will happen. [07:42:52] so before an arbitrator, i suspect that it would be clear which document we are talking about [07:42:53] What I see it, either they agree to follow the current version of the SP. Or they agree to one spcific version. [07:42:53] iang: what do you mena? Motion was to declare current SP (in WIP) binding to critical teams. [07:43:36] Q: in the absence of that motion, the teams (hopefull) have already accepted SP as their agreed document. In all versions. [07:44:09] iang: ok, is more version. [07:44:15] or, in the presence of two versions that disagree, there might be a discussion. But this is something that we can reasonably accept at the time [07:44:39] yes, in all versions. Or at least this is what I would suggest to the Arbitrator, following CCA [07:45:04] What harm would it cause to do this motion? [07:45:28] ok, I move we declare the current SP (date april 18, 2010) binding for all members of the critical teams [07:45:45] the harm is that it might raise a liability in a serious snafu [07:45:48] until a new version goes to draft [07:46:10] iang: please explain? [07:46:44] what you might want to do is follow the style ... and ask the team leaders to ensure that all members of teams have agreed to the current SP (or the pre-veto one) ... as their binding document [07:47:44] at the moment, the organisation of CAcert is clear: policy sets up the document, teams agree to that document according to the status, and follow on. An Arbitrator can follow that trail. [07:48:16] it is part of the Arbitrator's job to understand which versions are in place, and part of the parties' role to state which versions ... so there might be a version issue in place. [07:49:13] as I see it, right now, the issue is entirely workable for the teams, as long as nothing goes wrong *AND* the thing that goes wrong is not related to a variation in documents. [07:49:29] so that is constrained to the two issues: board-under-ABC and application engineer. [07:49:36] so these are small issues. [07:49:47] and I suggest we "accept these risks" [07:50:33] however, the possibility exists that if the board also declares a version as being binding, this creates a possibility for the member to be confused as to the team's versions and the policy group's versions. [07:50:47] well, that's probably also small, as long as we can agree on that version. [07:51:58] If I understand this right, anyone could start a new WiP SP which would also be binding to the critical teams... [07:52:34] can I try to summarise by saying that I don't think there is a large agreement that we need to enforce the SP to be binding [07:52:38] fair? [07:52:51] i agree with that summary [07:53:14] I can live with that, given Iang's explanation. [07:53:21] 2.4 - meeting shedule [07:53:53] i'm generally in favour of swapping to EU morning and AU evening [07:54:06] So, I guess the team leaders have to inform the mem bers of the teams. [07:54:47] Q: yes [07:55:22] Dan, I think we have people from EU, Nick from US, and you and Ian from AU. What time zone are you in? [07:55:40] (for me to understand how early I would have to get up) [07:55:52] AU (UTC+10) [07:55:58] 7am start today [07:56:15] it is 08:00 here at the moment; I think it is 8 hours ahead of current European continental time [07:56:38] we haven't seen Nick for many meetings ... [07:56:44] I am also for some more weeks US, pacific [07:57:38] and I suspect that he won't be able to change that situation in the future (but that's just my speculation) [07:57:47] law: how many weeks? <2 or >2 ? [07:57:59] till end of may [07:58:18] so two more meetings [07:59:08] what is your time difference from european time? [07:59:09] I don't like very much the morning our time, if it is during the week I have no time [07:59:44] see http://www.timeanddate.com/worldclock/meetingtime.html?month=4&day=18&year=2010&p1=0&p2=791&p3=971&p4=240 [08:00:01] whould be UTC-7 now [08:01:07] could we discuss on mailinglist everybody could mention pref times [08:01:11] so european 7am or 8am would work for pacific time? [08:01:34] Hmm, I agree we have to spread the burden, I guess European time 08.00 is acceptable for all? [08:01:41] iang: ah, yes [08:01:49] i don't see a consensus in switching over ... so i'm not opposed to deferring [08:02:07] Q, depends on day - week-end or working-day [08:02:11] but I'd like that just in the weekend, cannot commit to 08.00 during weekdays [08:02:39] (and I don;'t really *like* getting up at 8 in the weekend...) [08:02:52] :-) [08:03:23] can understand. lets defer and if we can't find a tool that can put everyone's availabilty down then post out the link. [08:03:24] Depends on the day. Sunday would be OK, Saturday I probably will usually not make it because of other appointments [08:03:51] can't -> can :-) [08:03:57] But european 9am or 10am would be also doable for me. [08:04:16] good :-) [08:04:27] ok, who will coordinate? [08:04:43] i will [08:04:47] good [08:04:50] Next? [08:05:08] skipping quickly to 4.1 - lets leave that as is until otherwise decided [08:05:11] 3. questions? [08:05:20] I have one question [08:05:34] did you realize, that DNSSEC currently works on the same problem as CAcert ... about Root Escrow ... [08:05:35] Keyholders by Community Members [08:05:35] http://www.root-dnssec.org/tcr/ [08:05:35] http://www.root-dnssec.org/documentation/ [08:05:35] http://www.root-dnssec.org/wp-content/uploads/2010/04/ICANN-TCR-Proposal-20100408.pdf [08:05:45] ??? [08:06:10] i saw that post ... i haven't had time to work through it [08:06:21] did they come up with a solution? [08:06:21] in answer to your question - yes saw it. haven't read it. [08:06:49] Haven't seen it, but I will. [08:06:49] u601, saw it and read it [08:06:57] they have docs written, policys ... they'll searching 21 people right now till end of april [08:07:29] u601, they are searching volunteers, which are already in this business familar [08:07:31] which is the same problem we have - choosing the people - its not really technical [08:07:33] the main problem: people interested in, have to be available for 4 times a year to fly to US [08:07:35] have seen you post, but not read the links yet. [08:07:46] you mentioned that they are asking for people and perhaps we should propose. I don't think we are in a position to easily support that [08:08:10] u601: do they provide the costs? [08:08:18] iang, NO [08:08:35] the procedure contains one problem, that the keyholders have to come 4 times to the check by request [08:08:56] ok, so the only reasonable option i see is larger companies with people involved in RFC work .. those guys follow the conferences around [08:09:02] u601, but what is the asset for cacert - we have our own problems [08:09:05] to check = to maintain integrity? [08:09:28] iang, these companies will pay the expenses for the people - is usual in such cases [08:09:37] asset for CAcert, send one ... get infos ... sharing the problem solutions [08:09:53] u601, but this will not bring us forward - sorry [08:10:18] u601, the infos you can also have without to be directly involved [08:10:18] u601: this isn't a proposal that can work for us. [08:10:28] ernie: I think you're right [08:10:28] like other cross-community projects, yes we can probably ... [08:10:32] i would see the asset as a signal that we participate in something similar as what we do ... so if our methods are attacked, it automatically criticises their methods [08:10:36] we've all still got actions to review and accept escrow problem.s [08:10:39] solutions [08:10:49] but as we can't pay those costs, I don't see it happening [08:10:51] iang: agree [08:11:03] iang, but if somebody is doing, it is his own decision, has nothing directly to do with us [08:11:06] any other questions? [08:11:15] who we have in the US ? [08:11:27] ernie: certainly i wouldn't stand in the way of a person wanting to do it :) [08:11:45] and would indeed encourage it ... we just don't have anyone to hand [08:12:03] can we encourage someone ? [08:12:18] u601: typically, in the USA, we can find people to do things like this, but they generally expect costs to be paid. this is unlike Europe. [08:12:57] iang: also, US is bigger than western Europe [08:13:15] Q: and the flights work better ;-) [08:13:36] 4 times 99 USD its better than 4000 Euro ! [08:14:38] its not only sharing the informations, its also a PR push [08:14:46] i think there are no more questiosn therefore meeting closed