 Here we are in Brisbane, a Shiro training event. Quick thanks. How many people were here in the last talk? Everybody? All right, I'll go straight through. That's the rough agenda. OK, just to recap there, CA cert and the audit. The audit had a big effect on CA cert, changed everything. So you need to know the background of what changed in order to understand what some of the other institutions have taken place. Then we'll talk about what the assurer needs to understand, particularly needs to modify their processes. And finally, we'll do some assurances. That'll probably be in the closing stages, maybe around 5.30, depending on how fast I move through this. And it might take an hour or so. If anybody needs their assurances done quickly, they should yell at the beginning of that. OK. Whoops. As you can see, these slides are multi-purpose and brought together in different fashions. CA cert and the audit. We need to get into the browsers so that we can get rid of these bloody messages, which you've all seen. For that, an audit is required. Now, an audit is basically this review by an external party called the Independent Auditor over the businesses and the systems. So it's both a governance side, business side, and it's a technical side. And it's done against a set of documentation, which for some reason we call policy. The essence, the easy way to remember this is that we say what we do and we do what we say, which means that we really do need to set down a list of documentation. This is what we say. And then we have to have these policy, sorry, these systems and practices and so forth following what we say. We need these elements. Now, when I first started in this area, CA cert, in 2005 or so, we really didn't have any of this, other than the systems themselves. So it's a big change to the way CA cert has been operating since then. Taking the sort of vertical view, we've got two very big important areas. One is the assurance, and that's all the assurers, the 4,000 people around the world, and that in CA terms or PKI terms is called the Registration Authority or RA. Then we have the systems and these simply issue the certificates according to the say so of the RA. So the CA and the RA are different areas. Finally, there is the community of users. These are what we call members. They're all members of the community according to an agreement. In typical PKI terminology, we talk about subscribers being the people with the certificates and then relying parties being the people who read and rely on those certificates. For us, they're all the same. They're all the community. How the audit affected assurance. We needed a policy. Assurance policy is now in full policy status, has been for two years. That means it's binding on all the assurers. It's a valid document that tells you what to do and you have to follow it to the extent that it tells you. It's not a dictatorial document. It's more of a, it's written in a fairly guideline sense, but it is binding. And we'll see what that means a bit later. Because we've got that policy, it means that assurance, that is the RA, that is the assurance business, can be reviewed by an auditor. Now, within this area, as far as the audit is concerned, there are three big lumps which are important. And we're going to see all those three lumps today. There's the assurer challenge. That is the challenge that sets a basic benchmark, a measurable point on the map for all assurers. Then there's the ATE or Assurer Training Vent. That's this event right now. That's intended for people who are more or less assurers, are close to being assurers, are ready to be assurers, but more or less have done a bit of assurance. Because it takes you to the next stage. Then there's a thing called Co-Audit. And that will come out in the assurances afterwards. And what that involves is you, the assurer, assuring me, the Co-Auditor. And I will note down some various little bits and pieces, some tests, and I will feed that information into a database. Those three big areas. Let's talk about the Cat's Assurer Challenge. Who here has done the Cat's Assurer Challenge? One, two, three, four. Okay, four. So there's some work to be done there. It's pretty simple. 25 multiple choice questions. You just need 80%. You can do it as many times as you like. You can do it with books beside you. You can do it with friends beside you. Maybe I shouldn't say that. All it does is set a minimum standard. It means we can talk to the auditor and say, look, all of our assurers, when they issue their points, they've passed the Cat's Assurer Challenge. They've reached a certain benchmark. He might then come back and say, oh, we need to raise it. Or we need to lower it or move it left or right or something like that. But we can have that conversation. That's all it does. Sets a standard. The next part, the Assurer Training Event. It's here. We've been in a number of places. This is my fourth in Australia. The German guys have done a lot. There's been ones done across all of Europe at this stage. And we hope to do the USA some time later in this year. The issue here is what you need to know. What you do need to know to be updated to the modern techniques of assurance. Co-audit, I mentioned before, basically that's the assurer doing an assurance over some individual called a co-auditor. He's standing in for the auditor and he'll run through a bunch of little test questions in his mind. As you do the assurance, you're going to run through all the things you need to do. He'll be noting those down and putting it into a system, an online system, which collates all this information. What it does is it basically answers the question, how do we know our assurers are doing the right thing? And it turns out that there's an audit criteria that says exactly that. We have to document the CP details. That's the CPS or CP. How the CA, that's CSR, verifies that all you assurers are operating in accord with the policy. And we do this with co-audit, as it says there, verifies the quality of assurance over time. And then we can have that conversation with the auditor as to whether that's good enough. We can also know ourselves. Some changes that have come in, detailed changes, the member now states some things on the cap form and the cap form, that piece of paper that creates the basis of the evidence for each assurance, has these things in them or should have these things in them. Member should say that the information they record on that form is correct. That's for all the normal legal reasons. They're supposed to say, this is the correct information, I'm not lying. They also say that they request the assurance. And that's there because what we want to do is get this permission to interfere with their privacy. That is, you're gonna keep their information for the next seven years. You have their permission to do so because they requested the assurance. Finally, it says that the member agrees to the CCA and we'll come back to more about that. That's basically the member saying, yes, I'm part of the community. I agree to the legal document, which is called the agreement or the license. I'm part of it all. And other changes that the assurer states that the assurance was done according to assurance policy. Fairly simple statement. It basically reminds you that you're part of the whole thing as well. All right. Another thing that's happened which helps audit and helps our management a lot is that an assurer can now make a reliable statement. Now, what is all this about? The cap form was the original reliable statement. Basically the cap form, that document that you do the assurance on is a statement that the rest of the community relies upon. In there, you allocate a bunch of points. Those points go into the database and that database tells the CA to issue a certificate. And from that certificate, people will make decisions that will rely. So we've broadened that concept by having this fairly simple thing which you can see there are E and G comma cars. If you stick cars on the end of your name and stick that on the end of a report, what you're basically signifying is that you, the community, everybody in the community can rely on this and you can come back and get some account if something goes wrong. And this allows us to do various reporting activities such that I can take, for example, the results of today's event and I can report it back to CA Search Central wherever that happens to be and everybody there can rely that these things have been done. This can then be collated and passed across to the auditor. What does this mean? It seems very bureaucratic and boring and blah, blah, blah, but what it does mean in practical terms is the auditor doesn't have to come here and check. The auditor doesn't have to come and see every one of you guys because the auditor has been told somebody did it and they put their name to it. That means we can actually scale the community across the world and make it auditable. This is used in certificates, testings and the co-order process that we'll see later is also part of it. Okay, a bit of practical history here. 2009, the review of assurance. I was the auditor at the time. I gathered the evidence that I needed over the various assurers in Europe. It took me a month to swing around Europe. I did eight different cities. I collected it all, I analyzed it and I was prepared to go forward and issue the audit report over the assurance side. Unfortunately, we had to terminate for other reasons. Basically, the audit ran into time, cost and resources difficulties. In terms of starting a new assurance review, we then spent quite a bit of time tidying up the results of that for assurance and for the last six or months or so, we've been ready to start a new assurance audit. We just need to find the guy to do that, the person to do the assurance audit and get going on it, so we are ready to do that. That's a result, if you like. Okay, that was all about the assurance side. A little bit of story, a similar story on the system side. The system side is unfortunately behind the assurance side as far as audit goes. We've got secure hosting in this town called Eide in the Netherlands and it's a very good new secure data center, I've been there many times and checked it out. We've got teams in place that look after the servers. We've got teams in place that look after the access to the servers. We've also got a team, a small team doing infrastructure stuff. We have the machines there. We have an entire rack. It's all locked and so forth and the whole facilities guarded by retina scanners and all that sort of stuff. In documentation terms, we have a security policy. That is about 17 pages long. It was a labor of love. It took us at least a year's work talking to everybody to produce that document. We've got it in a draft mode which is binding. And then the third component of the systems, if you like, is the software. We do have working software, of course, but the problem with the software is that we do need to do some more work on that. I've run ahead here. The systems, yeah, as I mentioned, we've got the teams. Systems in the secure facility. The security policy's been to draft and it's binding. What that means is because it's a policy, because we have a good policy group that creates these documents and because we've passed the power to create solid binding policy, the security policy does bind the community and all the various roles. And that's important for the audit process also for the privacy process. We still have a bunch of problems to resolve with the system side. Infrastructure machines. These are basically Linux machines that are running things like the blog, the Wiki, the SVN, et cetera. They need to be taken out of EDE. We did manage to get a long way forward on that role, on that task, but the effort collapsed due to arguments between the board and the Swiss hosting people. So we have to really start that again. The next thing is routes. We have to recreate our routes. And to do that, we have to know how to escrow and recover the routes and also do disaster recovery. That project has had some thinking done over the last year or so and it'll probably get into high gear in the next three to six months. The issue there is how do we take a distributed group of people, give them a copy of the route key, have it protected, but when we need to bring them together so we can recover the route key. It's not an easy problem. For example, if you've been following the DNS sec world, the security version of DNS has more or less got the same situation. The way they're doing it is complicated and expensive. It means that people who are involved in the critical route team have to travel to the USA something like four times a year and be there for meetings on and on. It's difficult and expensive. So we'll be looking for something a bit cheaper than that. Disaster recovery, it's more or less recovering that route and recovering the systems has to be thought about. Team size, we need more people in the teams. Okay, software. We reviewed the existing software from an audit perspective and decided that the existing software really isn't up to scratch. So we've started a new team to be able to work on the software. This has not had a good start. We've got the architecture done. We've got the high level architecture completely covered, but what we need now is to get started on the code and it's a matter of getting enough people together in a room and hacking something out because it's hard to start open source projects if you like from scratch. So we're not quite there yet. The old software is now in maintenance mode. We've now built good teams to look after that and they're starting to work through patches but we still need to get new software to replace it. Okay, how did the audit affect the community? And this is where it starts to get complex in business terms. Audits work towards to a criteria and our criteria is called DLC for David Ross criteria. He started the audit back in 2005 or so. He wrote his criteria but then got called on to other things. The criteria has a very strong feature in it. It requires that the risks, liabilities and obligations for everybody is stated in some fashion or other to everybody, to everyone. Now, this caused us a lot of problems. We didn't really know what that meant. What are risks, liabilities and obligations? How they affect people with certificates? How they affect the people using the certificates? It's not entirely clear whether they can apply to us as members or to other people around the world. And how sustainable are they? Can we pay for these things? All sorts of issues were raised. And at the root of the thinking turned out to be a bit of a problem. There's a subtle barrier with the risks, liabilities and obligations. The criteria in the audit didn't require that we deliver any fair user experience or message or anything like that. We didn't have to come up with a fair contract. But because we disclosed, or we were required to disclose all these things, all these legal blah blah, and because CSR was a community of people not a corporate business, we kind of resolved that we had to be fair about these and give everybody a fair deal. Which more or less meant that we had to deal with every one of these risks, liabilities and obligations and figure out how to allocate them. Out of this came the need for a document. At that point in time, back in 2005, 2006, we didn't have a formal instantiation of what it meant to be part of CA cert. You just joined on the website. So we had to sit down and write a CA cert community agreement, a legal signing up style of document. And that had to do many things. And we knew all this when we were writing it out because we thought about it. It had to turn us into a community, which is to say a defined community, not a random or casual community, but a highly defined community. There had to be a serious sign up. We had to state all the risks, liabilities and obligations, and you'll see sections in there, risks, liabilities and obligations. We had to put a limit of liability in there. Up until this point, there was no limit on liability. So technically, you were exposed as assured as participants to unlimited liability. It wasn't zero, as some people thought, it was unlimited. So somebody could sue you in court and imagine some terrible crime or whatever and get away with charging you with a lot of money. So we put a limit of liabilities in there, 1,000 euros. It's euros because the document was approved in Europe at a top meeting of all the directors, and they just happened to be in Europe at the time, although none of them were Europeans. It could have been any other currency, whatever. We had to do something else as well. Once you've got a liability, 1,000 euros or whatever it is, you've got to figure out how to pay for it. So imagine you've just been granted some award of 1,000 euros, who's going to pay for that? Well, we have to shift it back to the members themselves because CSR itself doesn't have a lot of money and anybody who's got a lot of money tends to attract suitors, if you like. So how do we allocate these liabilities back? Well, the way to formally allocate liabilities from one party to another is called dispute resolution. And you can do this by setting up your own forum of dispute resolution. This is called arbitration. And it hooks into a thing called the arbitration act, which is more or less duplicated across the world. Most countries, by far the majority of countries, have a thing called the arbitration act, sometimes with a little bit different wording. And what it basically says is, if you agree to arbitrate your differences in a commercial dispute, then to arbitration, you will go. And the courts won't entertain your case. So in the CCA, the CA Cert Community Agreement, in clause 3.2, there is literally that statement. We agree to refer our disputes to our own forum of arbitration. And the next element that we needed, as well as the agreement, was the way to do an arbitration, the way to handle it. And these are typically called the rules of arbitration. In our case, we call it a policy. It's the dispute resolution policy. So we had to sit down and write that and we had to get it approved for the community in the community. So we ended up with this forum of arbitration, which means that if something goes wrong with certificates, remembering that certificates are supposed to be important, they're supposed to be used to protect people, they're supposed to be used for online banking and money transfers and all this sort of stuff. If they're important, what happens when something goes wrong? Who pays? This question we've looked at and we figured it out, that we need to allocate the costs from one person to another. How do we do this? Well, because this is a liability, we have to allocate that liability from one party to another. Now, it's simple enough to just limit the liabilities in a contract. We did that. We put a 1,000 euro limitation on there. But that's not all the story. How do we allocate the liabilities? The cheap and simple way to do this is your own arbitration. Why is it cheap and simple? Well, because we can do it with our own rules. We don't have to go back to the law. We don't have to employ lawyers. We don't have to go to court. So if something really does blow up in this super important world of certificates, we can do it with our own people. And typically, our arbitrations, we've had well over 100 go through at this stage. The arbitrator works for zero money. He writes a ruling that awards, that basically tells the people who are in dispute what to do. No money has ever been awarded to date, obviously because we're part of a friendly community. We don't want to do that. And to my knowledge, he's never actually instructed any, the arbitrators have never instructed any punishment at all. But one day it will come. It's a method there to deal with liabilities. Okay. So this arbitration thing has kind of snuck in there. The camel has put his nose under the tent. And now what has happened, arbitration is part of the way in which things are done in CSR. It's an important for every assurer to understand that at the back of everything sits this arbitration thing. Back to the audit. I mentioned earlier, yeah, it went into high gear in 2009. The assurance part of the audit went well. It was all collected. The systems part didn't go so well. We have a big list of issues there to deal with. But it collapsed because of the lack of capacity for the community to deal with these problems. Fundamentally, these problems were mostly on the system side. And also lack of funding. So how is the community responding to all this? Well, we're rebuilding that software. We've started on that. We've rebuilt the teams primarily for the existing software. And we've also taken on a big role of pushing as much work as possible out to the community. We've employed, not employed, but recruited lots of people to help us do various things. And you're seeing these things with this ATE process, with the co-audit process that comes afterwards. Now the community is doing a lot more. The review for assurance is pretty much ready to go. We could do that as soon as we can find the body to do the auditing there. But meanwhile, what we're doing is collecting all the data to prepare and hand to that assurance, to hand to the auditor. That's again what this ATE process is about, collecting that data. Also, we need funding. Well, doesn't everybody? Right, there's some planning documents. Half of that is done. Half of it will be done this year. As always, plans shift and change. Okay. The point there was to establish, oh, keep doing that, to establish that at the back of everything that's going on in CSRT, there are a lot of different systems. And one of the biggest things is this arbitration. The audit has caused a lot of things to change. So there's both a foreground and a background story. Arbitration controls terminations of the account. So for example, if you're using a certificate and you've made some legally interesting statement yesterday and sold a house and today you've decided to run off with the money, and tomorrow you resign from CSRT, arbitration will control whether you can actually resign from CSRT. And it'll control your statements to make sure that you haven't caused a problem for somebody else. That's one thing. If you need to change your name, that has an effect on the web of trust because everybody has gone and assured you in a particular name. And now you want to change your name to something else or there's an error in your name. For example, if somebody gets married, that will then go through arbitration and the arbitrator will look at the circumstances and say, oh, okay, this is the situation. Here is an order, a ruling, to the system administrators to act and change the stuff in the database. Another one is if the system administrators happen to be out at Ada in the Netherlands and they're mucking around with systems and something breaks and suddenly they're in a mess, they can't do something because they haven't got enough people there, but they have to respond quickly and break the rules. If you break a policy in CSRT, you then turn around and file a dispute against yourself and get the arbitrator to rule whether you were right or wrong. So for example, we destroyed some disks in Vienna about two years ago. We all turned up to do our disk destruction exercise. Part one is wipe the disks. We took the disks out and looked at them and realized they were scuzzy disks and nobody had scuzzy cables. So we were all assembled and we didn't have a chance to assemble it another time so we decided to go ahead, destroy the disks physically with the various machine tools, and then afterwards we filed a dispute, got the arbitrator to review all the steps we'd taken and say, yes, okay, you have breached the procedure but it's okay, things like that. I could go on for days on what we use arbitration for. Any other questions before I get stuck in? Okay, now we're talking about the specific things that the assurer needs to know. The assurer challenge, I already asked how many people have passed that challenge. We talked about it, introduced a few years ago, 80% of 25. You can do it as many times as you like. 4,136 had done it as of last night. Probably even that number is now 4,139 or something. People are doing it all the time. You need to know about the essential policy. The way the policies work, we do have a policy group that creates these binding documents. It is a democratic process. You get in there and vote on the things. We've just done a change recently to the dispute resolution policy. It took two weeks to get through and it cleared as of this weekend so there has been a change put through to a policy. It's an ongoing process. However, the essential policy set that you need for assurance and that we need for audit is complete and working. The first policy you need to know about is this CA cert community agreement. This one, members will ask you about. So it's worth reading at least once. You don't have to know it, but you do need to know where it is. All the policies are located in that hard, the bold part there, slash policy slash, which I find I'm typing in every day or so. I should probably have a bookmark but I just type slash policy slash and away we go. The agreement is essentially between every member and CA cert Inc, the New South Wales Association, which creates the community. Then there's your assurance policy. Again, you need to know where it is. You need to read it or flick through it at least once just to get a view with what's going on. And you probably need to have it at your side when you're doing the CA cert, the Assure Challenge. The way the assurance policy works is that it authorizes subsidiary policies for various tricky areas. And we have three of them and a few more in the pipeline. Po Jam is the policy on junior assurers and members. And basically what that's talking about is what do we do with people who are under 18 years old? Cover that in a bit. There is also a new policy come through, a subsidiary policy for TTPs that is doing an assurance remotely. That is halfway through getting implemented. There's the organization assurance policy which tells us how to assure an organization. There's others that are coming through. And you need to sort of have this view that, oh yeah, there are special cases. Special cases are handled by the subsidiary policies. On the side of the assurance policies, there is the assurance handbook. And this is basically a wiki page. It means that anybody can get in there and change it and prove it. This is the document that is managed directly by the Assurance Officer, but he's very happy to have any help. This is where all the detailed stuff gets put. The policy authorizes the handbook. So basically it's set up such that if you've got some questions or you wanna modify some procedures, you can do that. All the procedures are listed in there in some fashion or other. There's a new document that's come through route distribution license. This allows everybody to distribute the route. It actually applies outside the community. Most of the things apply to only people in the community, but this is one thing where it goes out and says anybody can distribute our route. And it also has this little extra bit in there that says, well, you have the license to distribute the route, but if you're not a member of CSRT, you're not allowed to rely. And the reason for that is because in CSRT, everybody's in agreement to the CCA, the CSRT community agreement. Everybody can therefore go to arbitration and get the arbitrator to award damages. But if we're talking about somebody who's outside the community, we can't really cope with that. It's not really possible to have somebody from the outside the community come in and get damages because they're not really part of the scene. They're not following the policies. They're not following the obligations as far as looking after things. So the easy way around that is that people outside the community cannot rely. What they can do is use the certificate, which is to say you can put any client certificate or you can use an SSL certificate as per how your software does things. So it gives you more or less everything you need. What it doesn't do is give you the legal links in to cause problems to our members. So there's a firewall if you like. Membership is a firewall. Yeah, yes, yes. Usage and reliance are defined terms. They are defined differently to other CAs and that might cause some confusion. Usage is more or less defined to be however your software does it. So if I send you a mail and it happens to be signed by a CA certificate, that's fine. Anybody in the world can receive that mail and check that the signature matches. What you can't do, however, is rely. Rely means to make a decision informed wholly or partly on the contents of the certificate. So in this context, if I was to send this user an email and the email was signed by the certificate, the certificate says my name is Ian Grig. That information can be used, but you can't rely on it, which is to say the person who's outside CSRT cannot then issue me alone, take credit, sell me a house, buy a house, do some high performance, high, what do they call it? High purchase. Yeah, it's exactly modeled. Yeah, it's exactly modeled on open source licenses. Here it is, complete disclaimer. You can use it, don't come back to us. But if you do want to rely, if you do want to make decisions, get involved in the issues of damages and liabilities and so forth, join. Just join, it's easy. And then you're part of it. Yeah. That they're using or relying. That would be relying. Well, I don't know what it is, but I don't care. As long as you don't come back to us and sue us, we don't care. If you take all the loss for something that goes wrong, that's your problem. When you come and sue CSRT, however, because you've lost, if you're not a member, you're not allowed to rely. If you're not allowed to rely, you're not allowed to make a decision that could cause a problem. So if you're like, it depends on how you act. You're following the logic. Yes, that's right. And that is a question that is gonna be placed for the browser manufacturers. They've answered that question. Yeah, it's not. Oh, no, that's because of the audit. Yeah, yeah. But when the order is done, we will then go and present that and we'll say, this is how we do it. Yes, that's right. Your people cannot rely on our certificates. And that is somewhat different to the verbiage that you will see from every other CA. It's usually not really. That's right. That's the problem. If you read the phone. That's right. The difference between CSRT and the other certificates, the other CAs, as far as the end user is concerned, is almost nothing. The difference is we use the words in a different definition set. And I would say we're somewhat more, shall we say, applicable and honest about what we really mean. Whereas the other CAs will set themselves up with an agreement that says, yes, you may rely, but reliance is worthless because of all the other legal defenses. We're saying reliance means a lot. It could mean a thousand euros, but you can't use that. It's a difference in definitions. And that's the discussion we're gonna have to have with the manufacturers when we get to that point. Yeah, just on your first point there, I think that is what they would like you to believe. However, an actuarial science only happens when there is a payout. So you can see that they've never paid out. There is no event in known history where a CA is paid out. And if you look at the strategy and history of the way they set things up, it isn't intended to happen. As opposed to an insurance company, which will pay out, as you can see in Brisbane now, some houses will be covered, some houses won't. We now have a new program. We'll probably not be using lawyers, et cetera, in the future, partly because of that problem, and we'll be using in the USA more like notaries public because they are much more suited to the role of signing documents in a fairly simplistic fashion in Australia. Yes, we'll be using JP's in Australia more likely. Any other question? So yeah, the route distribution license is literally modeled on an open source license. There used to be a thing called the non-related persons disclaimer and license, but that's now being withdrawn because it just didn't work legally speaking. We got that one wrong. Oops, dispute resolution policy. This is the rules of arbitration. What happens when something goes wrong? This document will tell you about it. As an assurer, you need to know how this is handled. You don't need to understand the policy. You just need to know where it is, what it's about. Here's one that's kind of evolving. The practice on names. With assurance, we spend a lot of time, especially in strange countries like Europe and so forth, where they have strange names and different character sets and so forth. We spend a lot of time on what names can translate to what other names, especially with passports, which are done in ASCII and the various other countries which do their naming in different character sets. It doesn't really affect the Anglo naming system because the Anglo names are more or less in alignment with all the identity documents, but it does affect Europe and Asia a lot. Okay, now getting into the meat of it. One of the things that the assurance policy does is state the purpose of assurance. This is pretty important, although it might not be clear or expected. We need that purpose to be able to ground the points, to be able to ground everything else, the message that comes out of the Web of Trust. The wider purpose creates this ability to speak to the rest of the organization. And the purpose is to simply copy the stuff straight from the policy. The purpose of assurance is to add confidence in the statement that's made by the community of a member. So each of the members have this set of points allocated to them. Each of these points represents confidence which can be added together to create that assurance statement. So immediately we have to ask ourselves what is the assurance statement? And that's the very next section in the book. The assurance statement makes five different claims about people. And this is all relatively new stuff to assurance. If you've not kept up with the last, for the last couple of years, this will be new stuff to you. There are five things to check. Now we call this the five finger rule. The first thing is that the member is really, or the person you're assuring is a member of CSIRT's community. And that is defined by agreeing to the CSIRT community agreement. The second thing is that they have a login account. Now the reason that's interesting is because it establishes their technical details as to how we interface. But it also equally establishes that they're a member both by agreeing personally and by having the account on the system. They've agreed to be a member. And you can establish this fairly easily by asking them what is the primary email account that they have in the system? You don't need to ask them whether they have a login account. You just need to ask what's their primary email account? If you've got their primary email account written down, this makes a whole lot of other things easier and it answers these questions. This is more or less a statement of fact which glues everything together. The member can be determined from any CSIRT certificate. That's because every certificate has a serial number in it. So if we've got the certificate, we can map that to the account. If we've got the account, we can use the assurance process to map that to the person which leads us to the next part, arbitration. The member's bound into the arbitration which means that if there's a problem with any certificate, remembering certificates are supposed to be used for important things, then we can go from that important thing to having a look at the certificate, specifically the serial number inside the certificate, then back to the account and then to the person. And we can bring that person to arbitration. So have a control on people doing bad things. Finally, and this is why it's called the five fingers, we've got four fingers and a thumb, we've got the classical thing that CAs do. What we talked about before, those first four things are not done by other CAs. But everything that's in this section is pretty much done by most CAs. This is the classical PKI thing. We know the personal details of the member, we know their individual name, we know their email address, and we know something magical about them. In this case, we call it the secondary distinguishing feature. For CAs, it's always the date of birth. But the way the policy is written, we don't want to stress that it has to be the date of birth birth because we want to find other things as well. Date of birth is a privacy risk for us depending on which country you're talking about. So it's written in a slightly flexible way in the policy. But in essence, we know the name, their primary email address, any others they add in, of course, and their date of birth. All of these five things are part of your assurance process. You've got to check all these five things. Well, you don't need to check number three because it's a statement of fact, but it kind of glues the rest together. And in making this statement over those five things, in making that assurance statement, you're adding confidence by allocating points into the web of trust. It's a big shift. We've taken away the emphasis from simply measuring the person's name to a two-fold thing. Yes, we know their name, but also we know how to bring them to arbitration. We know how to take every one of you and allocate some liability to you. That's a pretty big shift. Okay, let's talk about the CCA or CA cert community agreement. We have, of course, lots of abbreviations in CA cert because writing all these things out in long just takes too long. We're all part of a community. It applies equally to everybody and as a little bit of a surprise, perhaps to some, CSR Inc is also bound by this, being the counterparty, but it's also bound in other ways. The same goes for arbitrators. They are part of the community. And finally, for the auditor. The auditor is also limited in the power that they acquire by this CCA. It does mean once you've agreed to the CCA, you can rely on the certificates where reliance is that definition of, yes, you can make a purposeful decision relying in some part on that information. You can incur liabilities you can expect to be covered in some sense or other. The CCA specifies those risks, liabilities and obligations and this is fairly basic stuff. It just had to be listed because of that audit process. Things like you can be exposed to a bad certificate. Yes, of course we can issue a bad certificate and you know from history, from reading some various articles and so forth, some CAs have issued some bad certificates. At the moment, the current story is the FF4, somebody has got a list of certificates they've scanned and found some very dodgy ones. Yeah, that can happen. That's a risk that you face. There's another risk that you can be hit by some bad security, that is your own laptop could be insecure. Yeah, you've got to know these things. There's a liability discussion in there. You could be hit with a thousand euro fine. The basic consensus that came out of the discussion of that back in 2007 when we finally approved this document was that likely we're never gonna see a fine that big but if we do, if we do get to 999 euros of liability which you've been fined for, probably the next thing we'll just ask you to leave the community. There are much more friendly ways in the arbitration process. The arbitrator is encouraged to look at more gentle ways to remind you of your responsibilities. So for example, asking you or instructing you to attend a particular event, spend a day of your time rather than finding you. It's worth pointing out that all the arbitration rulings are typically published. So if you have an adverse arbitration ruling against you, this can be also a big punishment. So far, there haven't been any, or there've been very few arbitration rulings which have been, shall we say, aggressive. There has been one which has been kept secret because it identifies parties which might cause liabilities. The CCA also has these obligations in there. Yeah, you've got to keep your own laptop secure. There's no point in you having certificates on your laptop if somebody comes along and steals them. That is one of the big threats with certificates. They'll just get stolen and used by spammers or fishers or somebody. There's a set of principles which CSR has written. You're obliged to follow the principles. They are soft things. They're not hard things. It's more a style of how we work. Okay, legal stuff, the exciting stuff. Law of New South Wales applies. When you're in a dispute, it's the law of New South Wales if we need to go back that far. Practically speaking, we have never had to go back that far and resort to the law, but maybe one day we will. The arbitration clause is in the CCA. We agree that the disputes shall be referred to our own arbitration. And this is a particular clause that is taken from legal tradition to signify to a future judge, oh yeah, we agreed to arbitrate. We're not going into court. And typically as a matter of public policy, courts will say, you know what? These guys agreed to arbitrate, get out of here. We're too busy in our court for this sort of stuff. You agreed, go do your arbitration somewhere else. As I mentioned earlier, termination is controlled by arbitration. There's another clause in there that you have to maintain your email address. And that's simply so we can mail you and say, oh, arbitration time. Okay, how it relates to the assurance. There are multiple ways in which you agree to the CCA. One of them is your signature on a form to request assurance of identity. So as an assurer, when you're doing an assurance, you're checking that that person has agreed to the CCA. The new cap forms have it, the old ones don't. If you had an old cap form, then you can simply modify it. You also agree to the CCA when you sign into the website, when you get a certificate, when you do a various bunch of things. And that's because we started out at 2007 with most of the community not having heard of the CCA. And now we're gradually working through all the people in the community and making sure that at some point, they've agreed to the CCA. And then when we get stuck in court, we have our legal document. So we have multiple ways in which we are checking if everybody's part of our community and has agreed to the CCA. Okay, that's the CCA, CSR community agreement. The policy on junior assurance members, you need to know that if you're talking to somebody who's under 18, they can't enter into a legal contract as is in general. In general, this has taken straight out of the POJAM document. If the membership requires the legal contract to be formed, if the person doesn't have capacity if they're under 18, then you've got to figure out another way. And typically this means that you have to help, sorry, I'll say that again, typically the minor then has to get parental consent and carry a parental consent form around with them for each assurance. So you check to see that the person has got that parental consent. It's fairly easy to figure out that they're a minor because you're going to get their date of birth as part of the assurance. Okay, so what you've got to look for there is on your cap form, I agree to the CCA community agreement. Make sure your form has it, make sure your member knows of it. A few other things have been added in there. According to the assurance policy. You have done the assurance according to the assurance policy, which more or less means that assurance statement, those five points that we went through that's in the assurance policy. You also state that you're an assurer. By means, this raises many questions in a detailed sense. Can the old forms be accepted? Yes. Oops. That's because there was a ruling. Somebody disputed the use of a novel assurance cap form and the arbitrator ruled that yes, there is no formal approved form. As long as it's got the items that are in the assurance policy, it's section four points, something I'm not sure which, as long as it's got all of the elements that are in there, then it is an assurance. And it is a good form. So you can write by hand anything else you need. The most important thing you need to write on there with the old forms is that. The reason this is important is because in Europe they've got thousands and thousands of these forms printed out, boxes of them, which they take to every event. And they've got forms which are sometimes two years old. And also the website has different ways of producing the forms and we haven't actually updated all of the ways to be correct. So basically you can add the additional parts. If you need to, you can write it in by hand. That is German writing for, I agree, to the CACIRC Community Agreement. Another thing, as I mentioned earlier, that the member must request the assurance. And that's mostly so that we can handle the privacy aspects. Who can see the data? Well, you can see the data. You're the assurer, you have the cap form. You keep it for seven years. But other people can see it as well. And primarily this is two groups. The arbitrator can see the data. It used to be in the old days that CSIRT Inc could request to see your cap forms. No more. CSIRT Inc cannot see the cap forms because they don't have that special role. The person who has the special role of resolving some access to privacy data is the arbitrator. They can resolve whether the cap forms can be opened up and checked. The other people who can see the data are the systems administrators. But they're protected in another sense. They have to go through a fairly serious background check. They have to be approved and they follow a thing called the security policy. So they're controlled in other ways. But technically they can see the data. Another thing that you're asking the members to do is provide the valid information. That is, the information that's on the form is correct. And that's that technical legal thing of the fact that if something does go wrong in the future we can go back and say, well, you lied. Therefore you're to blame. It's a lot easier that way if we've got that statement. As I mentioned, yeah, the assurer does the right thing. The assurance is done according to the assurance policy. And another subtle thing is, well, you actually have to make a statement that you're an assurer. The reason for this is you are breaching the members' privacy by storing their data. Only assurers are technically allowed to do that or only members of the community. We will have a problem in the future when and if CSR becomes big and we get into the browsers and all this sort of stuff. People might pretend to be CSR assurers and use that to get the data from various victims. So we need that statement there such that when that statement is made, people can check it. And if somebody is defrauding us or victims or the situation, they have to make another declaration which becomes a way we can attack them. Okay, variations in name. I'm gonna skim through this because it's mostly a European issue. You can reduce the information as a principle. What we call a principle of reduction. You start off with the document, the passport or the driver's license. You can then take that information and copy it onto the cap form and then take that information and go to the online system. Remember, these things are done at different times. So we can reduce as we go through this process but we never increase. There are two times involved here. We have the face-to-face meeting and then we're back at home. Whatever we've got on the cap form is it. The problem arises that if you don't copy the information fully from the documents onto the cap form or don't ensure that it is done, if you get to the online system and discover that, for example, they've got the middle name in there or some extra initials, you can't complete the assurance. So the implication is that when you're doing the assurance, you make sure that you've got all the name information from the documents and it might mean you have one name from one document and another name from another document. Copy them both in. So the subtlety here is that you can actually reduce that information when you get to the online site. If a middle name is missing on the online site, yeah, fine, you can drop that. What you can't do is add it later on if you don't have the documents in front of you. Okay. It does turn out that with multiple ID documents, often, for example, driver's licenses, not so much in this country, but in many other countries, they drop the middle name or they go for initials, whereas passports will have them all. Although assurance policy does permit multiple names, what we don't have is the software to allow multiple names. Specific rules, transliteration, yeah. That's the problem that Europeans have, say no more here. Upper or lower case is not significant. That's been ruled upon by an arbitrator. This is the Europeans working out how to deal with their funny characters. They're allowed to convert it to ASCII, but they're not allowed to go back the other way. Okay, so here's a case where the middle name is was missing in the cap form as recorded by the person. And what has happened is the assurer has then written Wolfgang in on the cap form to ensure that it is complete. That's the blue circles. They've also written a fuller version of the surname, Schrotter, so as to collect the information about the special German characters. And now it's to reiterate. They really like their umlauts. This is the Germans again. You've got to get it right, otherwise. Okay, practice on names should detail all this, although it's an evolving document. It's probably not as relevant for the Anglo countries because we have far fewer problems. Here we do have a problem, date of births. Dates of birth do tend to cause a lot of mistakes. If you get a mistake here, you will have the problem that the online system will present you with a date. If it happens to be wrong, you're stuffed. How we can deal with this? Well, write the month in words. Write the year in full. Don't stick 11 on there. Put 2011, because there will be a day this year where we've got 11, 11, 11. This can get confusing if it's 9, 10, 11, for example. Remember that, for example, Americans swap things around, boom, boom, boom. It can be a problem. If you're confused about what format the documents have, and this will happen as well, you can ask the member they will know their birth date, it's the sort of thing they should know about. Okay, signatures. The simple requirement is that the member signs before the assurer. We're not graphologists, which is to say, we're not detecting forgeries. We're simply raising a barrier. If the person can forge the signature, well and good, they can do that. We won't beat them on that. But it turns out it's easy to forge a signature when you're at home and you got all the time in the world. It's easy to pretend to squiggle something in front of somebody, but it's much harder to forge a good signature in front of somebody who's watching you. So we simply ask them to sign in front of us. And if you see a deviation between that and the documents, you can discuss it. The signature doesn't have to match entirely what's going on in that document. You don't have to really match up those documents. What you do have to do is make sure that they've signed and that it seems to be about right. It's better to ask for additional documents and check additional documents and just get a feeling for what the person is up to. There are bona fide reasons for signatures to change. What you don't wanna do is get into a fight with somebody that the signature is not right, therefore they're not the right person. This is not gonna happen. It's extremely rare. Sometimes banks get a bit antsy about this, but really that's not what we're about. Okay, various forms of documents. There are lots of documents out there. Australia happens to be fairly easy. We have two basic documents, the passport and the driver's license. That covers most everybody. There are a couple of variations. The states will issue straight identity documents and sometimes you can get student documents or age documents. If you really wanna know about this sort of stuff, you can get this little Australian ID checking guide which covers most of the state issued documents. Unfortunately, they cost $10 a pop, so it's less easy. On the website, on the Wiki, there is a list of Australian documents with photos of each of the driver's licenses. You probably should all be familiar with the passports. Where it becomes more important again is in Europe. They have a lot of borders. They have a lot of countries next to each other. People are traveling all the time so they can end up with a completely new set of documents. That's not gonna happen in Australia. You're mostly gonna be dealing with straight, familiar documents. You do your homework if you're in that situation. You check out what they want to show you. You go research it on the net. Lots of places to look for. There's the Australian information. You want as much documentation as they can give you, but fundamentally you need one good quality photo government ID. You should ask for others. There are lots of others out there, firearms, security licenses. The police have their own documents. The defense forces have a document and the various federal and state departments issue documents. I would call all of those secondary. The reason being that some of them are issued for different purposes and different arrangements. For example, I have a federal department that's issued me with a document. It turns out it's a piece of plastic with an RFID and a printing over the top which can be peeled off. So although the RFID is fantastic for getting me in the building, the piece of plastic can be pulled off and somebody else's can be put on there. It's easy to forge as far as we're concerned because we don't read the RFIDs. So a lot of these aren't gonna be much use to you, but they can be great collateral information. Where to find out? On our wiki, wiki.csr.org, there are documents, there is an Australian page there. That's Europe. The standard, we're looking for a government issued photo document with the name and the date of birth in it. Ask for more documents. Now, that is a standard. It's not an iron cast rule. It's not absolutely mandated. And the reason being, we at CSR think we actually belong around the world. There are many countries in the world that do not issue acceptable documents. There are many countries in the world that don't issue any documents at all. So we have to go into those countries with an open mind and figure out how we're gonna do things. This is not an iron cast rule. But it's the standard which we're operating to at the moment. You have to find some way to at least analogize that, to at least be comparable to that, at the moment. Compare the information, the full name, the date of birth, as we discussed. The expiry date on the document is not an issue for us. If the document has expired, if a driver's license has expired, that person can't drive. But it's still a good document for us. If their passport has expired, they can't travel. But that doesn't affect us. We want to know who they are and that we can bring them to arbitration and that we know their name. An expired passport's a perfectly good way of showing that for us. We can record the type that is the issuing authority, which will typically be something like Canberra or Brisbane or Sydney or something like that for a passport or the state, New South Wales or Queensland for the driver's license. We can record the country. We can do things like recording the expiry date. But what we can't do is record the serial numbers. We don't record the serial numbers because that can help identity theft. So we simply don't keep that number. Credit cards, be careful of those. They just have a name on them. We don't want to see the numbers. We don't want to really get involved in that. So it's kind of an iffy thing. They might have a credit card, but how valuable is that? Another thing is you don't go and share the documents. If you're in an assurance situation and you're concerned about something, you want to go ask somebody else to help you get the user's permission first. There are kind of binafidal ways in which if you've got a senior assurer there, you can turn around to them and talk. But be sensitive to the issue that you have been requested to share their information. Nobody else. So there's an issue there. No photocopies. We used to do photocopies of documents and store them. That's not allowed anymore and that's come out because of privacy regulations. The privacy principle is if you have a valid reason, you can keep the data. We do not have a valid reason for keeping photocopies of documents. So we don't keep them. We have to be able to show a valid reason within a sense of policies and so forth for every data we keep as a privacy principle which is more or less accepted by regulators around the world these days. Obviously, look for signs of tampering. I have no idea whether the Europeans managed to acquire that document, but apparently somebody from Womera has gone into Europe and tried to get assured with that document. Check the photo. The older documents do tend to have problems and surprisingly newer documents do have problems as well, but people don't look the same. So check that and maybe discuss it. Check the expiry date to tell you how old the document is. Look for security features. Modern documents have lots of fun security features. If you're into this assurance game, if you go to Europe, they'll have UV lamps everywhere and they'll be using that to check all the special features that are in there. What you do is you look, then you write them down and you check it out unless you're already familiar. For example, in the Australian passport, one that you should know, down the back on the very last page, there are lines of various information and there's horizontal lines. If you take a magnifying glass to those lines, they're not actually hard lines. They are very small micro-pint, print, of waltzing Matilda. The lines of waltzing Matilda are in the Australian passport. So you can use that to check the quality of the production of the document. It's quite common for driver's licenses to have multiple photographs in them in different fashions. Unfamiliar documents, surprise. Yes, there are many strange documents out there, many useless documents and inappropriate ones, et cetera, et cetera. Don't panic. The thing to say here is, and just remember this statement, these documents are unfamiliar to me. Why is this? It's a web of trust. We're taking your points and we're adding it into the whole credibility of the entire community. So we're looking for your judgment. The assurance is your judgment over this person and that information is going into the web of trust. So we want you to make your best judgment. When you come across some strange document, we want you to issue less points. You say here, you can say things like these documents are unfamiliar to me and you can verify what's on them and you can record the information. You have the option of doing a late decision, what the Europeans call a late decision, which means you don't put the points on the form, you go home and research the document if you're uncomfortable with it and then you can allocate zero points. It's as simple as that. We're after your judgment. Your confidence in the assurance statement is what we're trying to get you to measure and the assurance policy says, if you have zero confidence, then you issue zero points. If you don't know anything about these documents, then you can't add your confidence into the web of trust, that's zero points. An alternative is if you've got negative confidence, which is you're suspicious of something. In this case, you carry on, you collect the evidence and then you file a dispute later on. Now this is a bit different because in the past, what has happened is people have said, well, if you're not familiar with the documents, you stop the assurance. No, what we should do is carry on the assurance and give zero points. You've still done the best efforts, attempted doing the assurance, we should complete that process. Zero points is what happens when you've got zero confidence and that's mathematically sound. We can add zero many times over and still get zero. Or we can add one point many times over and get many points. With unfamiliar documents, if you feel like they're good, often passports from another country will be entirely compatible. Then you should be able to say, yeah, it feels right. You check out the security features and maybe you want to award half points. That's a rough guide. Whatever happens, you should tell the person concerned that you might issue less points because they might be surprised that you didn't issue them four points. Sometimes the members expect to get all the points, sometimes, and that's not really what we're about. You, the assurer, are making the judgment. That's what we want you to do. And we're gonna rely on you making a good judgment. Whatever the member gets, they have to be grateful with that. Okay, a new thing is mutual assurance. The assurance policy now states you can do an assurance both ways. You can even do it when the person is not an assurer, in which case, then you have to lead a bit. You have to help them. You should do this if they're going to be an assurer, if they're almost up to the number of points and they intend to pass their assurer challenge, or if they've done one and not the other. You should do a mutual assurance if the member is happy with doing that. If they're not experienced enough, you can keep the cap form for them. And of course, that won't be a problem because you've already got all that information. If they are ready to be an assurer, you and your judgment can let them keep that form on you. That slide shouldn't be there, we already saw it. Boom, okay. That's the end of the information. There's a lot, a lot of detail. Any questions?