MiniTOP Assurance - Brussels 20100206

0. Preliminaries

0.0 Intro

On the occasion of Fosdem 2010 in Brussels, we got together to plan out the year for Assurance. This is the meetings minutes and also notes on the event itself.

  1. Assurance
  2. CeBIT
  3. Roles
  4. Lightning Talk - Client Certs
  5. Support
  6. ABC Interviews
  7. Recruitment
  8. Co-Audit

Previous meetings: Munich 20090517 and Hamburg 20091215 . Planning: Events Page.

0.1 Present

Present for co-auditing meeting: Iang, Ulrich, Joost, Dirk.
Also in vicinity, involved in talks: Walter (Events), Wolfgang (Support).
Assurers Present at Fosdem: Doris, Martin (CM), Marty (Support), Dominik (Support), Nikolas, Alexander B, Hendrik, Raoul, a few additional assurers who turned up for the Assurance Party.
Also present, from sidux and mandriva teams: Magnus and Wolfgang.
Photos: Walter, Doris, Iang.

0.2 Costs

Estimated sponsored cost of the meeting: € 400 As the costs were also attributed to the entire Fosdem event, it is difficult to estimate precisely the additional costs of this meeting. Fosdem costs include these as rough estimates:

Type Who, Comments
Accom 1020 12 pax * € 85 * 2 nights / 2 each room
event dinner 300 Sunday
hotel bar 70 saturday night beers
Sunday dinner 30 doris
lunch x 3 10 Sunday
petrol from FRA 70 Ulrich, Iang, Doris, Nikolas
train wien to FRA 218 Doris, Iang
trains DE 400 10 pax x 40
misc 40 phone + semmel + semmel
Accom 0 Sunday night, 5, near Essen

Total € 2228 Estimated Floor only
per Assurer € 150 15 Assurers
per Assurance € 4 500-700 CAP forms

There are probably more costs, not recorded above.

1. Assurance

Tasks & Agenda for coming weeks.

2. CeBIT

Under control. Ulrich got the booth from Linux New Media with help from Alexander Bahlo. 10 Assurers listed over the week. Tickets being chased.

Accomodation booked so far: 3 double, 1 triple (full), 1 additional double is probably open/available.

Someone to be the on-ground coordinator is needed. Currently listed as u60, but this should change ⇒ Joost.

3. Roles

It seems clear that a lot of work has been done over the last year, and more is being planned. This has led to some suggestions as to team changes. It is proposed that Ulrich take on the Assurance Officer role. Sebastian has had less time over the last year, but may be interested in taking on something like the German Events role.

Walter Güldenberg has recently been doing a lot of work with CAcert events, at least back to June 2009, including Linuxtag Berlin, froscon, software freedom day HH (probably) Kieler Linux and Open Source Tage, Open Rhein Ruhr and this Fosdem. Did the organisation for 6. Brandenburger Linux-Infotag 2009 (contacts, did the preliminary-work). Was also at Hamburg Assurance MiniTOP and the Essen Software MiniTOP. As he is already doing a lot of work on sidux events.

Based on his experience in events, it is proposed that Walter take over the Events Team Leader role. Ulrich and Iang interviewed him and his response is positive, but not until April as his heavy business period is always Jan-Feb-Mar. This is no problem as it will take time for a transition anyway.

This would see the events team with Walter, Ulrich, Sebastian, and also supported by regulars Joost and Dirk.

The Assurance team would then be Ulrich, including all the above, and also Mario and Ted.

4. Lightning Talk - Client Certs, the Old-New Thing

Iang presented a 15 minutes Lightning Talk at Fosdem 2010 on "Client Certificates - the Old-New Thing." See Notes on wiki. Slides in ODP form and PDF form. Video is supposed to be coming. Joost took video? See the wiki page on Client Certs for more on the general topic.

Talk was well attended. Immediately followed by Assurance Party, also co-timed with the famous PGP Key-signing Party which caused immense confusion but was eventually sorted out by banning the PGPers into the siberian wastelands of the street in front. Our Assurance Party worked out well, the formula is to have assurers in rows 1,3,5, etc, approximately 5 each row, and then the Members slide in rows 0,2,4 seeking their assurances. 2 hours worth of Assurances, less crowded than last year (probably because we had a busy booth this year).

5. Support


Triage: bringing in Dominik. Joost is up to speed. Need more.

There are some issues with OTRS, it is hard to get into. Should look at some sort of training there. Need to update fiddle questions.

6. ABC interviews

On request, Interviews were conducted on Joost and Markus. Iang as interviewer, Ulrich as assistant. These are to be typed up and provided to the Arbitrator of each case. Time did not permit an interview of Dirk.

7. Recruitment

Several paths: Assurance and Software. Push is on to attract more foreigners to help with Assurance spread, and to run ATEs. Use the ATEs to find programmers.

Last year, many assurers attended ATEs who have the familiarity and are active users ... versus members who just want certificates. Former group is pre-filtered for enthusiasm. ATEs generally are run on the week-day evenings, the Assurers are people who have evenings available not weekends.

But software development is a completely different path. They tend to know much less than CAcert, need a task/project, weekends are available. Chicken-egg problem. henne-ei problem.

Karlsberg / mozilla connection (no notes).

Contact with Marco C., from Koan s.a.s, Milan. May be able to talk to Universities about ATEs. Not between Mid-June and October in Italy. Events Team Leader to pursue.

Specialists in embedded systems, works with partner company in Wien (supplies ARMs). Interested in any embedded projects like Possum. Introduce. Sees it as a student possibility.

We had a good conversation with the EJBCA crew from PrimeKey in Sweden. Curiously, they predicted some of our observations on their CA code. 6-7 programmers, total company is around 16.

One of the most interesting things is that they are now being funded by EC in a European cooperation funding to produce CC components for re-use in other projects. The current status is "producing the security target," not a lot of component results seen as yet. Although the list is unclear, what did seem to be on it was Logging and Authorisation. The former could be interesting to BirdShack.

For protection of the root key, they suggested smartcards only. Their stuff is public on; search on extensions for requirements. they were interested in our requirements.

8. Co-Audit

8.0 preliminaries

Present: Iang, Ulrich, Joost, Dirk. Other Assurers were excluded (listed as recruits).

This was the main topic. Agenda.

8.1 software

Software for capturing the results of the co-auditing programme was presented. 3 screens, for entering the co-audit, searching, and season's report. Still a bit demo-ish, some bugs to fix.

8.2 Defining the Co-Auditor

There is:

This is about the former, who makes a good co-auditor.


Experienced Assurer means has 50 Ep. Senior Assurer means

  1. experienced
  2. has been co-audited
  3. attended ATE (5 points)
  4. CARS
Definition. Co-auditor is

  1. senior (and experienced)
  2. active in CAcert in some area
  3. has been tested and trained by co-auditor
  4. Test:
  5. recruited to co-audit programme

Nice to have:


  1. Should the first co-audits be supervised? No.
  2. No Junior co-auditors for now. We'll see about that later.
  3. After testing, co-auditor to be proposed to AO.
  4. How to get the paperwork done? Assurers to enter their co-auditor's email address into fiddle ... If the paperword is not done, we have to drop the co-auditor.
  5. Offer EPs for attending an ATE and being co-audited? This was attempted but there isn't the software support. ATE + co-audit together make the most sense.

8.4 Team

List of Founders of Co-Audit Programme. In order to bootstrap, we need a team of Co-auditors to train and sign off on new members. Easy solution is to declare by dictat who these are. Meeting went through many possibles, this list resulted (coloured group is those present at meeting):

UliATEs: Bielefeld, Duesseldorf, Muenchen, Stuttgart, Frankfurt, Eemnes, Berlin.
Others: Froscon, mrmcdx8h, IT-Business Stuttgart, Fosdem 2010
IangATEs: Innsbruck, Prague, Budapest, Paris, London, Munich
Others: CeBIT 2009, Ede, Vienna
AT AUex-auditor, Board
DirkATEs: Bielefeld, Duesseldorf, Muenchen, Frankfurt, Amsterdam, Eemnes DEpatcher, disputer
JoostATEs: Duesseldorf, Amsterdam, Eemnes NL
TedATEs: Munich, Goeteborg DEedu, Handbook
MarioATEs: Bielefeld, Hamburg DEOA, software, Board
SebastianATEs: MunichDEAO
Hans VATE: Eemnes NLAE
Bas vdDATE: Eemnes NLAE
Andreas BATEs: Frankfurt, BerlinDEOA, Software
LambertATEs: Duesseldorf, Amsterdam, EemnesNLDRO, Board

Recruits Possibles, thought to be potential recruits: Martin, Walter, Wolfgang, Alexander B, Maurice, Guillaume.

8.5 Questions / Test

Last year's test was reviewed. Some discussion on variations. Assurance Purpose was considered optional.

2010 season. Each was gone through. New list was built up. Consensus on 6 points.

  1. Understanding of CCA. This broke down further into 1.a Liability. 1.b Dispute.
  2. Spotted all errors in Em/Dob/N. There was a lot of discussion about how many errors to put in and whether this was one test or several. Joost provided new errors. Consensus led to all one test, and all errors have to be spotted.
  3. Primary Email / Account exists. This carries over, felt to be important because it achieves the dual purpose of checking account existance.
  4. Eliminates unacceptable documents. Carries over.
  5. How is a dispute filed?
  6. Ulrich suggests: Requested re-sign of pre-signed form.

Some rework is required. We still need one Q for 6. ToDo for CeBIT. Ulrich added additional, above.