A page on my work in Audit.
From January 2006 to June 2009, I worked on a systems audit of CAcert, the community certification authority. This audit was conducted under Mozilla's CA policy and directly addressed the criteria for CA audit written by David Ross. During 2008, the Audit was partly funded by a grant from NLNet Foundation in Netherlands.
In the event, I had to resign the audit. With a lot of regret. The Letter of Resignation sets out the reasons, and in brief it was because the audit was not receiving the attention it needed to bring it to a successful conclusion.
What CAcert did succeed in doing was good stuff. Most of the policy work is done and in good shape. As of time of writing, the shortfalls in documentation are: tidyup in Security Policy and CPS, and also lacking the top level index (called CCS).
Assurance: Individual Assurance was more or less covered by the audit, and is in good shape. The exceptions are seriously behind, but this is known work and fairly routine. Organisation Assurance is also needy of a lot of work.
Systems: One systems review visit had taken place, with another 2 anticipated. The major concern was disaster recovery, other concerns were being worked through more or less routinely.
Software: remains an issue. The current software is not a good base for the long term. Its use should be considered interim, and the CA is encouraged to make all efforts to fix that.
Having resigned the audit, this may have triggered a series of events that led to a special general meeting of the association, in which a new board was formed. I am part of that new board, which could be said to be a caretaker board to get back on the tracks. As we have an AGM due in November, it is not likely we'll make a lot of progress.
Future of audit: The basic issues with CAcert are that it has to finish its doco (easy), get its security systems sorted out (medium), build a DR regime (hard) and try again for another audit (depends on availability of an auditor). Unfortunately, because of the way the audit world works, CAcert has to make a good faith effort at solving the issues it knows about, before talking to another auditor. It will be the first question.
Most of the public information on the audit process was recorded on the wiki page for Audit. Many presentation documents are located at AuditPresentations. A long presentation, An Open Audit of an Open CA, was an invited talk at 22nd LISA in 2008. This will need to be updated some time to present the last year's events.
Any eventual report by myself on CAert's suitability to enter Mozilla's root list will likely appear here.
The process has been illuminating. I have recorded part of my thoughts in the above paper An Open Audit of an Open CA, and also a series of essays on the blog designed to explore how we move forward on Audit in the light of the global financial crisis:
|Audits I||A Word on the Limits -- Madoff|
|Audits II||Two more scary words: Sarbanes-Oxley|
|Audits III||We don't know enough even to know what we don't know|
|Audits IV||How many rotten apples will spoil the barrel?|
|Audits V||Why did this happen to us ;-(|
|Audits VI||The wheel spins. Until?|
|Audits VII||The future of the Audit is in your hands|
The short brutal question in the above is why didn't the audit process pick up the global financial crisis? And, what do we do about it?