At the end of June, the financial year 2024/2025 ended and in a couple of weeks will be the annual General Meeting at October 25th. For transparency, we publish here an overview, how we spent money. In fact, our servers need some electricity to create free certificates. This monthly bills are paid as well as the about 2000€ for the rack in the data centre by your generous dontations.
If you are happy with your free CAcert Certificate, and the work done by our volunteers to run this service, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
On 28 September, the Swiss will vote on the introduction of a digital identity card (e-ID). The proposal gives users the greatest possible control: personal data remains on the user’s phone. Neither the state nor private companies can track the use of the e-ID. And users decide for themselves with whom they share which information.
The example of pornography websites shows what this could mean in concrete terms. Today, children and young people can access these sites by clicking on ‘I am over 18’, even though pornography portals in Switzerland are actually required to block young people under the age of 16. In a future with e-ID, it would be possible to carry out age checks that protect privacy: Thanks to the e-ID, anyone who wants to visit the site does not have to reveal their name or date of birth. It is sufficient to disclose that the user is over 16.
The e-ID thus protects young people as well as the privacy of all users. To prevent the system from being exploited, the federal government maintains a register of companies that request too much information from the e-ID. If, for example, the pornography site wanted to register the name or date of birth of its users, users could report the site. The E-ID app would then warn other users about this website. At least, that is what the authorities hope.
No honey pot of data
The approach is clever. Nevertheless, when it comes to digitisation projects, no programme code in the world is 100% secure. The developers currently working on the e-ID code are well aware of this. They have therefore built a system without a central register – meaning there is nothing worth hacking.
To further increase the cyber security of the e-ID, the federal government has also published the programme code and launched a competition: anyone who reports a vulnerability will receive a reward. The 120 developers at the federal government want to harness the collective intelligence of the developer community.
Initial independent analyses of the programme code have shown that the programme actually does what the legal text promises. No more and no less. The code is not yet complete, and important components are still missing. But experts expect progress to be made soon. There is still time until the earliest possible introduction date in the third quarter of 2026.
One can say yes to the introduction of the e-ID, but no to its disproportionate use. Of course, no one wants to have to identify themselves with a government ID at every corner of the internet. We still need digital spaces where we can comment on political issues disguised as Mickey Mouse. Controversial opinions must also be able to be published and debated. This freedom must be defended.
Of course, CAcert is 2025 also at some conferences. After two days in Elsene near Brussels at FOSDEM in early february, you can get in touch with us:
8.-11. Aug 2025 Oudkarspel, Netherlands WHY CAMP 2025 (sold out)
16.-17. Aug 2025 St. Augustin (Köln-Bonn) FrOSCon 2025 (free entrance)
It is really a good idea to see and test the new CAcert OpenID Connect on your own! Come and join us.
If you are happy with the new functions of CAcert OpenID Connect, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
OpenID Connect (OIDC) was developed by the OpenID Foundation as an authentication protocol that verifies a user’s identity when they attempt to access a protected site. CAcert now offers a way to both authenticate and authorise Drupal with OIDC. This allows users of one of the best known and most widely used open source content management systems (CMS), used by some of the largest websites such as The Economist or the White House, to be used for single sign-on (SSO) and offers the benefits of a single login for multiple sites.
This Guide will help you configure your Drupal sites and other applications as an OpenID Connect Client with CAcert. Following these steps will allow you to configure OIDC SSO which will allow your users to log in to your Drupal site using their CAcert credentials.
If you are happy with the new functions of CAcert OpenID Connect for Drupal, done by our volunteers, please consider to donate: Donations IBAN CH02 0077 4010 3947 4420 0
Report from our support team about their work since the beginning of the year: The support team has deleted
deleted 47 accounts
restored 1 password
solved 11 problems. This involved the following: Error message due to root certificate not installed, new e-mail address stored, certificate creation without <keygen> and the certificate format.
Support also receives between twenty and thirty unwanted e-mails every day, and more at weekends. However, these are sorted out semi-automatically.
If you are happy with the work done by our support volunteers, please consider to travel with us or to donate:
DEUTSCH: Bericht unserer Heinzelmännchen vom Support über ihre Arbeit seit Anfang Jahr: Der Support hat seit Anfang Jahr
47 Konten gelöscht (auf Wunsch)
1 Passwort wiederhergestellt
11 Probleme gelöst. Dabei ging es um folgendes: Fehlermeldung wegen nicht installiertem Wurzelzertifikat, neue e-Mail-Adresse hinterlegt, Zertifikaterstellung ohne <keygen> und das Zertifikatformat.
Support bekommt ausserdem jeden Tag zwischen zwanzig und dreissig unerwünschte e-Mails, an Wochenenden jeweils mehr. Diese werden jedoch semiautomatisiert ausgesondert.
To join this great team yourself, simply write to secretary@c.o. We offer a thorough induction programme with an experienced support engineer. Work from home possible in a workload of your choice. English (reading and writing); other languages an advantage.
Novice users need to download & install CAcert roots. It must be done using HTTP (http://www.cacert.org/index.php?id=3). But the HTTP protocol is considered as unsafe nowadays. Moreover, some leading browsers offer the function “HTTPS-only”.
The websites Blog & Wiki are planned to be equipped with LetsEncrypt to make their visits easier. Both CAcert roots are already prepared as simple certs and bundles, for systems Windows / Unix / Linux / Android / Mac, on the wiki page https://wiki.cacert.org/FAQ/NewRoots.
In germany the month of may stands for something new, usually used for blooming flowers …
… but we don’t have any flowers at our CAcert servers, so we did something else:
We did a trip to the Datacenter in Ede, putting back the second firewall to the rack and installing brand-new OpenBSD-updates to both firewalls and Debian-updates to all our critical servers.
You may have noticed short interruptions of our CAcert services as our main web server was restarted once and both firewalls were restarted several times to apply the updates. We tried to keep this time as short as possible, but we couldn’t trick our monitoring: It was faster by sending us notification emails for a problem … followed by “recovery”-emails.
Manchem unserer Freiwilligen fällt es schwer, für sich alleine zu arbeiten – insbesondere dann, wenn es keine richtigen oder nur veraltete Richtlinien gibt, an denen man sich orientieren kann. Genau aus diesem Grund fand am 27. März 2025 eine kleine OrgA-Konferenz bei Zürich statt.
Mit dabei: Ein OrgAssurer, ein Mitglied der Gemeinschaft, ein Juniormitglied und ein Vertreter des Vorstandes. Gemeinsam haben sie festgestellt, das die Organisations-Assurance (OrgA) für CAcert eine hohe Wichtigkeit haben sollte, dass sich verschiedene Voraussetzungen in den letzten Jahren jedoch geändert haben, was die OrgA nicht vereinfacht hat und dass nicht alle Vorgehensweisen klar geregelt sind, respektive die Regeln je nach Jurisdiktion (Land) hilfreich oder hinderlich sind.
Nun wollen sie
den aktuellen Bestand aufnehmen
den aktuellen Bestand auf Aktualität und Nutzbarkeit prüfen
gegebenenfalls konkrete Vorschläge machen, wie die OrgA unter Beibehaltung der hohen Sicherheitsstandards gegebenenfalls vereinfacht werden kann.
Da sich die Leute gesehen haben, sind sie zuversichtlich, dass die Zusammenarbeit über elektronische Kanäle oder das Telefon in Zukunft auch über tausende von Kilometern gut möglich ist. Denn in einsem sind sich alle Teilnehmer der kleinen OrgA-Konferenz einig: der gemeinsame Dialog ist die Stärke, welcher Projekte vorwärts bringt.
Was ist die Organisations-Assurance? Das Organisations-Assurance-Programm ist ein Zusatzprogramm zum Assurance-Programm für Einzelpersonen. Der Zweck des Organisations-Assurance-Programms ist es, Organisationen anstelle von Einzelpersonen zu assuren. Die OrgA erlaubt es einer Organisation, den Namen der Organisation in ihrem Zertifikat zu führen. https://wiki.cacert.org/OrganisationAssurance/DE
Over the past few months, we have been pushing OpenID Connect forward. Today, you can sign in with OpenID Connect using CAcert certificates. Our tireless volunteers are still working on the finishing touches and documentation. Perhaps you are still looking for a New Year’s resolution and would like to give them a hand?
Or in the hours left until the new year is rung in, would you prefer to work on a small project that is guaranteed to be finished in less than an hour? Then the CAcert calendar prism is for you (free download). Print it out, cut it out, fold it and stick it together. 1-2-3-4 and your first project for 2025 is complete!
All the best for the new year and thank you very much for your support, help and funding.
An seiner Jahresversammlung haben die Mitglieder von CAcert Inc, dem Trägerverein der CAcert-Gemeinschaft beschlossen die Strukturen den heutigen Begebenheiten anzupassen. Da seit dem Umzug nach Europa keine nationalen Mindestzahlen im Vorstand mehr vorgeschrieben sind, wurde der Vorstand auf fünf Mitglieder reduziert. Die Mitglieder sind überzeugt, dass diese schlankeren Strukturen den Ansprüchen der Zukunft besser gerecht werden.
CAcert schaut allgemein auf ein sehr erfolgreiches Jahr zurück. Vereinspräsident Brian McCullough hob zu Beginn der Versammlung drei Punkte speziell hervor: – Modernisierung des Maschinenparks im Rechenzentrum mit eindrücklicher Senkung des Stromverbrauchs – CAcert Community Centre als einfaches Selbstbedienungs-Portal, unter anderem zur Zertifikatserstellung – Eine spannende Entwicklung war die Fertigstellung der ersten Version des CAcert OpenID Connect-Werkzeugs, mit dem sich unsere Mitglieder mit ihren Client-Zertifikaten bei verschiedenen anderen Diensten anmelden können, ohne Passwörter zu verwenden.
Aus dem Vorstand verabschiedet haben sich zwei langjährige Mitstreiter: Frédéric Grither war zweieinhalb Jahre Kassier und nach einem Unterbruch noch ein weiteres Jahr in dieser Funktion tätig. Frédéric Dumas war sechs Jahre im Vorstand und ist auch als Freiwilliger aktiv. Unter anderem hat er das zukunftsträchtige OpenID Connect-Projekt aufgegleist.
CAcert betreibt seit über 20 Jahren die freie Zertifikats-Ausgabestelle cacert.org, welche freie X.509-Client-Zertifikate ausgibt, welche über das Web of Trust abgesichert sind. CAcert Zertifikats-Ausgabestelle: https://www.cacert.org CAcert Selbstbedienungs-Portal: https://community.cacert.org
