CAcert and secure-u e.V. are present at booths 244 and 251 in hall 7.2b during LinuxTag 2012, from March 23 to 26, in Berlin, Germany. For more details see the wiki page on LinuxTag2012.

Recently the hyphen rules in PracticeOnNames has been overworked and clarified.
Since this topic is surrounded by a great deal of confusion and unconfirmed rumors Assurers might have a look at it.

If you received email today stating that one or more of your certificates was revoked than this action was initiated by CAcert. See the announcement on the blog.

For more background information see the Arbitration page and Hanno Böck’s blog post.

A short summary, some certificates were found for private keys which could easily be cracked because of one of the following reasons:

• Their modulus size is small (y 1024 bits) and therefore quickly be “brute forced” with usual desktop computers.
• They use an small exponent which is vulnerable to well known cryptographic attacks
• They used a key generated by a buggy debian system (see Debian Vulnerability).

The CAcert web page has now been modified not to accept such weak keys for certificates in the future.

We wish to thank Hanno Böck for notifying us of this problem and giving us enough time to fix it before publishing it.

You may have received an automated mail by CAcert today or yesterday evening, stating that one or more of your certificates are unsafe and will be revoked soon.

I don’t want to go into more technical details before the relevant certificates have been revoked, if you received one of those mails some technical details are included there. Please do not use the listed certificates any more and replace them with newly issued ones as soon as possible.

If you tried to log in to CATS recently with a newly created certificate you probably failed. Especially when using a Class 3 certificate. Now I hope this bug is finally fixed.

Like usual for such bugs it was quite a trivial thing, for details compare CAcert/Education/CATS/login.php in svn with its previous version.

For analysis: certificates affected contained a serial number wich started with a non-digit character after stripping learing zeros. So Class 3 certificates with serial number bigger than 09:ff (issued since about half a year ago) and Class 1 certificates with serial greater than 09:ff:ff (issued since recently) have been affected.

I’m still waiting for the first explicit confirmation of someone now able to log in, but the analysis nicely fits the symtoms and the problem could be reproduced on the test system, so I hope we finally got it.