CAcert System Admins discussion list

[Wytze van der Raay <wytze AT cacert.org>]

Hi Bas and others,

On 16.07.2011 18:21, Bas van den Dikkenberg wrote:
> Good point wytze, but like i pointed about before isn't there a conflict of
> interest with Stefan Kooman.
> 
> Stefan Kooman works for bit, and if he is Access engineer he can access the
> rack without that's its logged anywhere.
> 
> I can see that there might be conflict of intrest, I know no longer has the
> access codes for server but any way, I don't think it's a wise idea.

I would argue this exactly the other way around ...

BIT engineers obviously already have physical access to the hosting facility,
and they also have physical access to the rack subject to BIT's own policies
for that. Whether that's logged by BIT or not, I don't know. In any case these
accesses are not controllable by CACert's security policy.

On the other hand, when BIT engineer Stefan Kooman is also a member of the
Oophaga Access Engineer team, he *is* subject to CAcert's security policy
w.r.t. to accessing the Oophaga/CAcert rack, thus nothing is lost in
comparison to the situation above, rather a little is gained instead!

The operational gain for CAcert should be quite obvious: while in the past
some care has been taken in picking critical sysadmins in the physical
neighbourhood of the hosting facility, this has been not so much the case
for access engineers (partly for historical reasons). As a result, in cases
where quick access to the hosting facility is needed to limit downtime, the
need to locate an access engineer and have him travel to the hosting facility
is more often increasing the delay than anything else (but note that adding a
new critical sysadmin to the team would be good too,  since we are currently
somewhat "thin" with just 2 people in the team).

Regards,
-- wytze

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature