Today, Friday 28^th of november, CAcert is creating new RootKeys for signing the certificates. This is done to comply to the audit requirements of having everything documented. Our current RootKeys are audit fail because it lacks documentation about the procedure.

The current RootKeys will NOT be revoked yet because there are thousands of certificates still relying on them.All new or renewed certificates will be signed by the new RootKeys as soon as they are operational. Some extensive testing is done in the last few months for creating, securing and implementing the RootKeys on a very high standard and open way.

The generated RootKey and two sub-root keys for assured community members (class 3) and (not assured) community members (class 1) makes use of open source tooling, certified in the past with FIPS 140-2 certificate for OpenSSL (Mar 2006).

Replacing the RootKeys is the last part of the server rehosting to the Netherlands which was done in October.

As mentioned by Maurice, I presented this at LISA2008:

An Open Audit of an Open Certification Authority

How does a lightweight community Certification Authority (“CA”) engage in the heavyweight world of PKI and secure browsing? This talk tracks the systems audit of CAcert, an open-membership CA, as a case study in auditing versus the open Internet, community versus professionalism, quality versus enthusiasm. It will walk through the background of “what, why, wherefore an audit,” look at how CAcert found itself at this point, and then walk through some big ticket items: risks/liabilities/obligations; assurance and what’s in a name; disputes and reliance; and systems and security.

Can CAcert deliver on its goal of free certs? The audit is into its 3rd year as of this writing; and remains incomplete. Some parts are going well, and other parts are not; by the end of the year 2008, we should be able to check all of the important areas, or rethink the process completely. Hence, finally, the talk will close with progress and status, and recommendations for the future.

There are slides and a very long paper on my paper’s page.  As this was a talk invited by LISA, and as the job of audit is to look for the bad things, not the good things, this talk is quite brutal in parts. Not for the squeamish.

Gleich zwei CAcert-Parties gibt es diese Woche in Düsseldorf/NRW:

Der Chaos Computer Club Düsseldorf (www.chaosdorf.de) bietet am 28.11. ab ca. 20:00 eine Zertifizierungsmöglichkeit an. Hier können sich Interessenten auch über die Hintergründe zum Thema CAcert und PGP-Verschlüsselung informieren. Einlass ist ab ca. 19:00.

> Chaos Computer Club Duesseldorf
> Fuerstenwall 232
> 40215 Duesseldorf

(Sollte das Tor nicht offen sein, bitte klingeln).

Im Anschluß an den Java-Vortrag der Rhein-Jug (www.rheinjug.de) zum Thema Open JDK und Da Vinci VM gibt es am 30.11. eine weitere Möglichkeit, sich assuren zu lassen. Der Vortrag selbst findet ab ca. 19:00 statt, Assurer werden ab ca. 18:30 vor Ort sein. Während dem Vortrag ist KEINE Assurance möglich, erst wieder ab ca. 21:00.

> Institut für Informatik
> Heinrich-Heine-Universität Düsseldorf
> Gebäude 25.22
> Hörsaal 5G