Monthly Archives: April 2011

svn.cacert.org on new host with client certificate authentication now!

Leave a reply

Today I finished the migration of svn.cacert.org to a LXC container on our new infrastructure machine. The container is running on Debian Squeeze and supports some nice new features:

Read only access is provided via http://svn.cacert.org/ as it was before.

Besides allowing client certificate authentication for our Subversion repository this is a big step forward as we now have a modern infrastructure machine with a recent operating system distribution.

If you already have a SVN account on svn.cacert.org and want to use the client certificate authentication feature please send a mail to svn-admin (at) cacert (dot) org.

12 May 2011, NLUUG Spring Conference – Open is efficient, Ede – Netherlands

Leave a reply

NLUUG logo
On the 12 May 2011 the NLUUG (Netherlands Unix Users Group) will hold its semiannual conference in De Reehorst, Ede.
The topic is “Open is Efficient”.
CAcert will have a booth there.
Are you interested and willing to help out at the booth please contact me and/or sign up on the CAcert wiki – http://wiki.cacert.org/events/vj2011
Remember Assurers must have passed the Assurer Challenge!
Be sure to enlist as assurer on the event page.
For more information on the conference:
http://www.nluug.nl/activiteiten/events/vj11/index.html

Easter Egg Challenge 2011

Leave a reply

Easter Egg
We’ve just started our this years Easter Egg Challenge … We’ve put a couple of patches on to our testserver CACERT1 for you, our fellow and our new Software testers. We’ve put light to heavy patches to the package so everybody is able to walk thru the testserver web pages and search our Easter Egg’s.
Continue reading

CAcert in german freeX magazine

Leave a reply


The word of CAcert has been spread again in the Computer News in Germany. This time the main focus was put on the use of client certificates: What is the function and how does it intregrate into the popular open source email client Thunderbird, not forgetting other clients like Evolution, Claws-Mail, and the like. It also gives some background of CAcert and a short introducton on how CAcert works. The article in the freeX magazine 2/2011 is in german language. Hope you enjoy it, though 🙂

Aus dem Artikel:
Bewegt man sich im Internet, stößt man auf immer mehr Seiten, mit denen verschlüsselt kommuniziert wird. Solche Seiten mit der Kennung https verschlüsseln die Pakete per SSL. Damit sichergestellt ist, daß man auch mit der richtigen Domain in Kontakt ist und die Daten nicht
kompromittiert werden, identifiziert sich der Server mit Zertfikaten beim Client. Aber nicht nur bei Seitenaufrufen im Web, sondern auch bei E-Mails bedient man sich heute immer häufiger der verschlüsselten Datenübertragung. Die Grundlage sind auch hier Zertifikate. Sie sind eine Art Beglaubigung und bestehen aus einem öffentlichen Teil, der verteilt werden darf, und einem privaten Teil, der ausschließlich dem Benutzer und seinen Programmen zugänglich sein darf. Aus Sicherheitsgründen empfiehlt es sich sogar, die privaten Zertifikate ausschließlich paßwortgeschützt abzulegen. Die heute gebräuchlichen X.509-Zertifikate sichern die Authentizität, Integrität und Vertraulichkeit und bilden damit die Grundlage interner und externer Kommunikation. Doch in der Praxis scheitert eine unternehmensweite Verbreitung von digitalen Zertifikaten zur Absicherung von Servern und E-Mail-Kommunikation – gerade bei kleinen und mittelständischen Betrieben – aber häufig am begrenzten Budget der IT-Abteilung, denn bei den kommerziellen Zertifizierungsstellen fallen schnell jährliche Bereitstellungskosten von mehreren tausend Euro an, und auch für Privatanwender sind wenige hundert Euro Kosten im Jahr oft nicht tragbar.

Um ohne entsprechende Investitionen eine deutliche Steigerung der Sicherheit der Internetkommunikation zu erreichen, kam im Jahr 2002 der Australier Duane Groth auf die Idee, bei X.509-Zertifikaten die zentralisierte Identitätsprüfung kommerzieller Anbieter durch ein Web of Trust zu ersetzen, wie man es in ähnlicher Form von PGP kennt. Er gründete CAcert als community-basierte, nicht-kommerzielle Certification Authority (CA).

Der Originalartikel als PDF mit Bildern
Der ganze Beitrag im Wiki ohne Bilder

New procedure for Name Change after Marriage w/ Assurance

1 Reply

To all community member and assurer,

The arbitration and support teams developed a new “Name Change after
Marriage w/ Assurance” procedure though an arbitration case a20110330.1.
The procedure is outlined in
http://wiki.cacert.org/Arbitrations/Training/Lesson12 and
http://wiki.cacert.org/Support/Handbook/PrecedentCases/a20110330.1.
This should speed up the process of a name change after marriage.

All you need to do is (for the user who wants to get a name change after
marriage):

1. Find at least 2 Assurer to do an Assurance
2. Send a list of the assurers that can confirm the name change after
marriage to support

That’s it.

Support than will contact the parties to get further information.

Google on improving certificate security

Leave a reply

Benl writes: Improving SSL certificate security

Friday, April 1, 2011 9:05 AM Posted by Ben Laurie, Google Security Team

In the wake of the recent [incident], there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Unfortunately, this isn’t a problem that will be fixed overnight. Luckily, however, [engineers] have long known about these issues and have been devising solutions for some time.

Given the current interest it seems like a good time to talk about two projects in which Google is engaged.

The first is the Google Certificate Catalog. Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. So, for example, if you wanted to see what we think of https://www.google.com/’s certificate, you could do this:

[tech details snipped]

The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed CAA record, which predates the DANE WG and provides similar functionality.

[caveats snipped]

Improving the public key infrastructure of the web is a big task and one that’s going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction.

CATS login bug fixed (bug#889)

2 Replies

If you tried to log in to CATS recently with a newly created certificate you probably failed. Especially when using a Class 3 certificate. Now I hope this bug is finally fixed.

Like usual for such bugs it was quite a trivial thing, for details compare CAcert/Education/CATS/login.php in svn with its previous version.

For analysis: certificates affected contained a serial number wich started with a non-digit character after stripping learing zeros. So Class 3 certificates with serial number bigger than 09:ff (issued since about half a year ago) and Class 1 certificates with serial greater than 09:ff:ff (issued since recently) have been affected.

I’m still waiting for the first explicit confirmation of someone now able to log in, but the analysis nicely fits the symtoms and the problem could be reproduced on the test system, so I hope we finally got it.