Next language translated to 100%

Special thanks to alaks who made Czech the sixth language which is now available with a 100% translation rate. In addition I want to thank all translators who did a tremendous work over the past years.

To show how far the various languages have been translated here a short statistic overview covering languages with more than 30% of progress

Language Progress
Spanish 100%
German 100%
French 100%
Italian 100%
Dutch 100%
Czech 100%
Portuguese (Brazil) 83%
Swedish 64%
Hungarian 43%
Finnish 37%
Japanese 36%

It would be great if even more people could be helping to translate the software. We are especially looking for Portuguese (Brazil), Swedish, Hungarian, Finnish, Japanese. Of course any help for the other languages that CAcert is offering is appreciated.

If you want to help just create an account on CAcert’s translation server

For more information look at
or join the translation mailing list

Thanks to all who already helped with the translation!

ATE Freiburg, 2015-02-02

Freiburg i. Breisgau panorama
Am Montag, 2. Februar 2015 findet in den Räumen des Karma Indian Palace in Freiburg das nächste ATE in Deutschland statt.

  • Was hast du auf dem CAP Formular hinzuzufügen, wenn du Minderjährige überprüfst ?
  • Warum solltest du dir die 3 Buchstaben: R/L/O einprägen ?
  • Wie verhälst du dich, wenn du ein fremdes Ausweis-Dokument zum ersten mal prüfst ?

Antworten auf diese und andere Fragen erhaltet ihr auf dem Assurer Training Event.
Bringt geeignete Lichtbildausweise für Assurances mit.

ATE-Freiburg findet statt:

Karma Indian Palace
Starts: 2015-02-02 19:00
Duration: 3 hours:
Bertoldstrasse 51-53
Freiburg, Baden-Wuertemburg

Registrierung: Ich moechte am ATE-Freiburg teilnehmen

Vielleicht treffen wir uns ja da.

Mit bestem Gruß vom Events Team!

Weitere Infos:
ATE Freiburg im CAcert Wiki

CAcert at FOSDEM 2015, Jan 31st – Feb 1st

FOSDEM, the Free and Open Source Software Developers

CAcert and secure-u e.V. will be present at FOSDEM 2015, the Free and Open Source Software Developers’ European Meeting, on January 31st – February 1st.

If you want to help at our booth, register yourself on our events wiki page for FOSDEM 2015 planning.


STARTTLS support for email ping connections

Based on some support requests recently, mainly from users of the privacy-concerned provider, we decided to include support for STARTTLS into the first phase of normal email pings. When registering a new email address for your account a ping email is sent in two steps, the first of which is performed synchronously when the request is placed (checking the server’s existence), while the actual sending uses a mail server at CAcert to handle delivery and retransmission.
The change was realized in two parts as based on support requests we received two distinct issues were present when deciding to send mails: The first issue (fixed in bug 1318) was about the order the receiving servers for a domain were tried. This lead sometimes to situations where mails from CAcert were marked as spam as the first server tried by our website software accidentially was the spam-trap of that domain. To avoid this the software now respects the priority given in the MX records and shuffles equal priority records in random order as allowed by the RFC.
Once the order of the servers, that should be tried to deliver the mail, has been decided on, the second change comes into play, which is explained further in bug 1288 of our issue tracker. The changes in the second part are focused on the connection content when talking to a foreign MTA. For this the code implementing the dialog phase has been reworked to query for STARTTLS in the feature list of the EHLO command (previously only a simple HELO was sent) and establishing an opportunistic layer of encryption with the other side. For simplicity whenever STARTTLS is advertised we will be using STARTTLS in this phase and thus fail the connection when no TLS session can be established.
We hope that this change lifts the delays some of our users experience when registering a new domain of certain providers. Although please note that most MTAs use anti-spam measures regardless of encryption and thus a manuel retry after some (usually 5) minutes might still be necessary.


CAcert wishes everybody a Happy and Secure Year 2015!!!

Happy New Year (sparkler)

We are happy to share with you some statistics for the year 2014.

In 2014 we received more than 34000 new registrations which is over 2500 more than the previous record year 2006 (31542)

Shown in the image are the numbers of new CAcert members (newly verified accounts) per year.

It looks like there remains a need for certificates from an open, free and independent CA.

We thus would like to thank our community and all active members, contributors, assurers and supporters, who make this possible. Please keep up this great work!

Creating client certificates with CSR now possible for Org Accounts

A fix for a long standing issue has recently been installed at the CAcert main server: Now finally it’s possible to create a client certificate from a Certificate Signing Request (CSR) in the user interface for Organisation (Org) Accounts.

For those who don’t have an idea what I am talking about, an Org Account is a user interface for administrators of companies and other organisations who got themselves assured with a CAcert Org Assurance.

Until recently, client certificates in an Org Account could only be created by using the browser feature to create a key pair and signing request in one go. This usually has the consequence that the administrator has access to the private key of the certificate, and has to send the private key and a password (hopefully secure) to the user the certificate is intended for.

While this is not that unusual in an organisation environment, it is not considered a clean solution.

The new feature to create a certificate from a CSR now allows much better solutions. Not only that the administrator does not need access to the end user’s private key at all, it’s now possible to create solutions where an organisation end user can create her own keys and CSR at the organisation’s website, while the administrator only confirms the validity of the request, gets the certificate from CAcert and posts it on a website for the user to download into her browser.

Especially in company settings CAcert certificates can productively used even though the root certificate is not included in browsers by default. Many companies use private CAs, for example to issue certificates which allow employees to securely log on to web applications. Now it’s possible to outsource the CA management to CAcert and just use an Org Account to issue certificates.

In my opinion CSR certificate creation is an important step to make CAcert certificates much more practical to use in company settings! Thanks to everyone involved in implementing this feature!

All-time record on new users per year

[German version below]

Since a few days ago CAcert has more new users registered in 2014 than for any of the years before. Currently we are at about 31625 users and counting beating the record established in 2006 with 31542 users for the whole year in just about 11 months. With a rate of about 100 new users every day we have a faster-growing user base than ever. Given this support by our members CAcert is by far not dead – instead it shows the still existing need for a open and free certificate authority operating for their users instead of profit.


[German version]

Seit den letzten Tagen hat CAcert mehr neue Benutzer, die sich 2014 angemeldet haben, als in irgendeinem Jahr zuvor. Mit derzeit 31625 neuen Nutzern wurde der 2006 aufgestellte Rekord mit 31542 neuen Nutzern für das gesamte Jahr bereits nach 11 Monaten eingestellt. Mit täglich ungefähr 100 neuen Usern reißt der Zustrom neuer Mitglieder nicht ab. Entgegen aller Unkenrufe ist CAcert bei weitem nicht aus der Welt; stattdessen zeigt es die Notwendigkeit für eine offene und freie Zertifizierungsstelle, die aus Überzeugung für ihre Nutzer agiert, statt nach Profit zu streben.

CAcert Community Agreement (CCA) Rollout finished

[German Version below]
A long lasting software project – the CCA rollout – is nearing its end!

With today’s software update the last step for the CCA Rollout was deployed.

From now on every member who wants to use his CAcert account needs to have his CCA acceptance recorded.

The software has already been tracking this for some time which means that most active members will have their acceptance recorded by now. The CCA acceptance is recorded when:
– creating a new account
– entering an assurance for the assurer and the assuree
– creating a new certificate (client, server, GPG)

THE NEWS is that, for all users for whom no acceptance is yet recorded, a redirect to the CCA acceptance page is now forced. Once the CCA acceptance is recorded, this page will not be shown again.

Some historical facts:
The foundation was laid in 2007 by developing the policies and the CCA. The rollout started in 2009 by introducing the CCA to the community. In summer 2009 the acceptance of the CCA was required for creating a new account but it was not recorded.
In 2012 the acceptance of the CCA was required while entering an assurance but it was not recorded.
Starting from September 2013 the acceptance is recorded both on creating an account and while issuing a new certificate.
Since January 2014 the acceptance is recorded when entering an assurance too.
In September 2014 a new CCA was accepted by Policy Group.

[German Version]
Ein lange währendes Software-Projekt – der CCA-Rollout – nähert sich dem Ende!

Mit dem heutigen Software-Update wurde der letzte Schritt des CCA-Rollouts vollzogen.

Ab sofort wird für jedes Mitglied beim Login abgefragt, ob die Zustimmung zur CCA vorliegt. Falls nicht wird diese beim Anmelden erfragt und eingetragen.

Die Software zeichnet schon seit einiger Zeit bei diversen Aktionen die CCA-Zustimmung auf:
– Anlegen eines neuen Benutzerkontos
– Beim Eintragen einer Assurance sowohl für den Assurer und den Assuree
– Beim Erstellen eines neuen Zertifikats (Client, Server, GPG)

Wichtig: ab jetzt muss jeder User, dessen Zustimmung zur CCA noch nicht aufgezeichnet wurde, der CCA einmalig explizit zustimmen. Liegt bereits eine aufgezeichnete Zustimmung zur CCA vor, entfällt die explizite Aufforderung zur Zustimmung.

Einige historische Angaben:
Gestartet wurde das Projekt im Jahr 2007 mit dem Erstellen der Policy-Dokumente und der CCA. Das Rollout wurde 2009 mit der Veröffentlichung der CCA begonnen.
Ab dem Sommer 2009 wurde die Zustimmung zur CCA beim Anlegen eines neuen Kontos verpflichtend. Diese Zustimmung wurde allerdings nicht aufgezeichnet.
Seit 2012 wurde die Zustimmung zur CCA Bestandteil der Assurance. Diese Zustimmung wurde nicht in der Software aufgezeichnet.
Ab September 2013 wurde die Zustimmung zur CCA beim Anlegen eines neuen Kontos und bei der Erzeugung eines Zertifikats aufgezeichnet.
Seit Januar 2014 wird die Zustimmung auch beim Eintragen einer Assurance protokolliert.
Im September 2014 wurde eine neue Version der CCA durch die Policy Gruppe verabschiedet.

Safer Mail! – Ingolstadt, DE

Am 21. November bietet die Linux und Unix User Group Ingolstadt mit den Bürgernetzvereinen ASAMnet und bingo in Ingolstadt eine Informationsveranstaltung mit Workshop an:

Safer Mail! Sichere E-Mail-Verschlüsselung mit S/MIME

Neben einer Einführung ins Thema werden die Grundlagen erklärt. Der Workshop gibt anschließend praktische Hilfe beim Einrichten der jeweiligen E-Mail-Programme für Verschlüsselung und Signatur. Am Ende der Veranstaltung soll jeder Teilnehmer in der Lage sein, auf dem eigenen Notebook sicher per E-Mail kommunizieren zu können.

Die Veranstaltung und der Workshop richten sich an Anwender aller Betriebssysteme. Spezifische Vorkenntnisse sind nicht notwendig.

Weitere Informationen unter

English version:
Continue reading