MiniTOP Assurance - Hamburg 20091215

Present: Walter, Iang, Ulrich. Mario from noon on. Marty + Martin from 13:00 on. Photos by Walter.

Meeting opened around 09:30, closed around 18:00, followed by dinner and informal discussion. Meeting called by Ulrich due to repeated concerns that junior members were being refused assurance at ATEs and assurance events.

Last meeting: Munich 20090517. Next meeting: Brussels 20100206.

Estimated cost of the meeting: € 400 Tour cost is &euro 813 (134 64 265 accom 95 train 141 23 46 45) plus additional uncounted costs for train trips, so estimated &euro 1000. These costs were spread across two larger meetings (also Essen Software meeting 20091216 with 9 people) and one smaller informal assurer meet&greet (Frankfurt lunch 20091217).

1. PoJAM

Long discussion about the Policy on Junior Assurers / Members. Walter, Iang, Ulrich. All had read the existing WIP document at PoJAM and were prepared.

Walter brings up the perspective that even having a guardian angel doesn't work because it requires the consent of the parent to be legally founded. That is, nobody can "take responsibility" without permission. This can be ignored, technically, but it brings up a new risk of claims/suits that won't be easily dealt with.

Which basically means it is not worth doing.

Which brings us back to the original problem, which is having to establish consent. Establishing parent's consent also makes the rest of it much easier, because we can then employ our standard arbitration and assurance practices without any undue risks.

Then, the consensus is: consent will be required.

We can allow a minor to use the standard low-reliance features, as already accessed over net. This means, creating an account, getting a low-points certificate, etc. There is some discussion about temporary accounts and so forth, so the CAP is not slowed down, but this appears to be no different to the existing situation, so no change required here.

Establishing consent then has to be "documented." This can be done by all sorts of methods. What emerges out of discussion is that it is a matter for the Assurer to establish, by self. That is, there should be no additional CAcert component such as sending consent forms in. Secondly, the establishment of consent should be seen as an ordinary part of the Assurance, and not a new component or policy change.

But assurance over the minor remains invalid until a parental consent is established. To which we put the charge on the Assurers.

Any Assurer can (it is proposed) assert "I have a parental consent form". As part of the CAP.

The statement itself can be varied to "The person is capable of entering into the contract." which can be explained to be "is of legal age in the country, etc."

The sense of the meeting is that 14 is a suitable lower limit for Assurer. It matches various religious and legal benchmarks.

In spare moments that day, a new version was prepared and put on the wiki at PoJAM2 and circulated to Assurance Team. To be sent to policy group.

2. TTP

Do we look at TTP (trusted third party) ? We can, but time needed to read it. There are several competing proposals / ideas:

(moment taken to read / skim)

Mario: Communication problem, CAcert is telling people badly that it is off, maybe it should accept the requests? Uli: now there is an arbitration with intermediate ruling on this.

iang: the current system doesn't scale, the box of paperwork is not currently in our power, and the system is therefore in doubt. Should a dispute be filed to knock out all points, because we don't have the box of paper? Speaking hypothetically...

iang: we might be far better off matching the current standard Assurance process. Something like:

member -> TTP -> Assurer (senior?)

mario: this is outsourcing of the identity part.

Should we use the same TTP? We cannot fully rely on the TTP because of weaknesses in the system, therefore each TTP should be used only ONCE for each Member.

Implementation detail (system check?) on how to control this -- use the Location button set the name of the TTP.

Who is an acceptable TTP? should be stated by either an Organisation Assurer who is listed for that region / country, or 2 Senior Assurers who are familiar with the region / country. The list (changes) should be Board-approved. Board can delegate Assurance Officer to do this, for example.

How many points does one TTP get me? Marty: 50 because it is complicated. 35 because it is the same, and because TTPs aren't better than our Assurers.

Require 2 chains to get past 50 points, 3 chains to get to 100 points. Baseline, no exceptions.

No point in setting rules about who sends the documents, we can't verify it anyway.

The TTP process is now an outsourcing of the meeting by the Assurer.

Who can do this? Assurers with 50 experience points?

Another CATS challenge? Not really needed because it should be covered in standard?

Is Board approval needed? Each assurance using TTP -- not likely, board will get too much work.

Each person who can do a TTP assurance: not really because it doesn't add much of a check. It is a check which doesn't work for membership or other things. The board is rubber-stamping.

In the end, consensus is that 50 experience points is it. The Member must have 50 experience points, and any other checks imposed by the Board, as needed.

People who are assured by TTP, might not ever be able to find other assurers. So should the points / documents be kept longer?

Support has to be asked to set the TTP flag on the individual. This flag has to be set for a TTP assurance, so Support have to be requested. They can follow the policy as it is at the time, just like it is with code-signing.

Should we limit the numbers of TTPs per person ... no.

Results of this meeting written up as TTP Assisted Assurance Policy. Should communicate this to Assurance Team, and if no adverse comments, move to discuss it on Policy group.

3. Nucleus Assurance Programmes

Assurance Programmes: others are also needed. Another is the Fosdem programme, to meet people who are studying in Universities from other countries.

Idea derives from "spread through Europe" mission started at Munich. 2 experienced Assurers; could issue 50 points each to get 100 points together.

They would have to be trained before they go back. Would have to build up a local community, e.g., 10 people.

2 experienced assurers could be set (using super-assurer) to be able to issue 50 assurance points each. Board approved.

Then, on one day, they teach 10 people like through ATE, and then get them up to 100 points using 2x50 assurances. They pass CATS at the time or before. Then, the new Assurers should assure at least 3 people each, and be assured by 3 new Assurers, each, so that the 30 points is re-covered. (If the system was smart enough it could then drop the 15+15 bounty points.)

NucleusAssuranceProgramme should be the name. Ulrich to write down the principles, maybe turn into sub-pol. Iang to clean up

4. Schools

CAcert into schools. Walter, also Andreas Buerki. Starting programme?

This year we started with a one day ATE. In schools we can present in more events, one hour on each section. Design each presentation to be a basic school lesson sized? Either in school hours or outside. Just like "driver training".

(We need a PoJAM? Already done earlier in day.)

Start with the ATE, slice it up into units. ATE was always compressed, easy to expand it.

We should work with a teacher to work it through. Or, just do one and force the teachers to help us make it less awful.

Should have a benefit, beyond CAcert. What is identity? CompSci, how does encryption work? Have to make it interesting for the kids.

Maybe Mathieu Simon can help with the Schools plan. He is involved into schools as far as Mario has read.

5. Diversity

Iang added 2 points: women, countries. Repeated the basic points of Munich. Some anecdotes discussed.

Sweden has been contacted, ATE in Denmark this spring. Contacts at Fosdem are important for this.

6. Triage + support + Arbitration

Uli: Training programmes only cover Triage at the moment, but they should cover the others as well, support + CM + arb.

The progression: Triage => Support => CM => Arbitrator.

Mario: good thing, know the whole process, but not good to impose the progression now because we have a lack of people in any area. The procedures move faster than the people can move.

Support should require people to have quite a lot of time. Support needs more people. 1 is not enough.

We'll Discuss Arbitration and ABCs tomorrow; Andreas Baess will be there.

Ulrich asks Marty, how does the startup in Triage work? (Marty got the invite from Martin G. asked about certs, etc for document management.) Currently Marty needs more support. More education?

In talking to F, he knows things, but doesn't know which cases go forward as Arbitration and what not. Handover from old guys to new guys is needed.

Iang: Triage mechanism for new guys currently is a welcome package with 3 elements: documentation, mini-challenge, and SE's chat room for on-the-job training. Intention is to leave that mechanism in place for Triage, but advance the Support side towards a full challenge for Support through CATS. Problem right now is a lack of questions, probably need 100, got 34 currently. It takes a long time to build up the questions.

Ulrich: Arbitration is also setting up lessons on various issues, including how to handle a deletion. These lessons needed because each new Arbitrator faces the same steep learning curve.

How to deal with a complex case? Should the Arbitrator slice it up as Ulrich has done? Could this be the Triage job? no, because the triage people only make the decision as to whether it is an Arbitration.

Lessons needed to advance. Should there be an Arbitration challenge? Yes, but first we need a handbook. Worry about that later.

Problem that emerges is that the Arbitrators just don't know how the system works ... so should follow the progression above to learn the different areas.

7. Co-auditing

Spring Tour over april-may-june to be planned, During a single 2 week period Ulrich will do Hamburg, etc. several cities Outside Germany: Netherlands, Denmark, Austria, Switzerland are planned. Iang will be in AU.

What are the essential points of CCA, used as secondary question? Go to arbitration? There is also a path to award experience points (additional) for being co-audtied.

General agreement that we will plan the co-auditing programme at Fosdem. Also pointed out at Thursday meeting that we should review the ATE. Agreed for Fosdem.