Author Archives: dan

CAcert Blog is fully X.509 enabled

The CAcert-Blog is now fully X509 enabled.
From never visited the site before and using a named certificate you can, with one click (log in), register for the site and have author status ready to write your own contribution.

If you only have a WoT unnamed certificate you can write your article and it will be spam controlled by the PR people (aka editors).

If you had a contributor account and haven’t posted anything yet you have been downgraded to a subscriber (no comment or write a post access) with all the other spammers. The good news is once you log in with a certificate you get upgraded to the correct status just as if you’d registered.

There is no password authentication any more. The time taken to make sure both behaved reliably was not possible in the time the admins had available.

Please ignore the big blog upgrade notice – we are using Debian security maintained packages and don’t need a WordPress upgrade.

So get to it – write something interesting.
[Edits thanks to Henrik Heigl]

DomainKeys Identified Mail (DKIM) – Phishing protection

DKIM is a standard for answering the old security question ‘is this email really from the author?’. As the DKIM related standard Author Domain Signing Practices (ADSP) just got approved it is timely tell you about it.

DKIM, like PGP and S/MIME signatures, answers this question DKIM using a digital signature of the email content. DKIM differs by making it more conducive to sign and verify the validity of the email at the email gateway and, just as importantly, signs email headers.

This is a fairly effective way of making it possible for the receiving email server to validate whether an email was sent through an email server under the control of the author’s domain. The author domain can through ADSP DNS records advice the receiving server that it signs all email and encourages that the receiver to discard email that is unsigned or has a broken DKIM signature.

As DKIM ADSP validation is based off the From: email which is effective in protecting users from phishing and social engineering attacks with a correct From: address. DKIM is not effective in preventing spam as any spammer can DKIM sign emails with their own domain.

To reap the benefits of DKIM you will need to deploy a DKIM signing and verifying product or service on your email gateways and follow the deployment guide.

CAcert has been signing personal emails and some email list emails for over a year and is moving to sign all automated emails before deploying a ADSP DNS record. DKIM Email validation as been occurring for also over a year without any problems.

Canberra Australia assurance event and CAcert presentation, 24th July

There will be a CAcert presentation and a WoT assurance event in Canberra on the 24th July at 7pm (localtime). It will be held at the ANU as a Canberra Linux Users Group meeting. Anyone who wants to turn up is welcome. The initial talk will be on Linux music, followed by a brief talk on SSL, certificates, CAcert services and needs, and finally assurance services will be offered.

Bring along your government IDs, printed personalised WoT forms available from CAcert My Account (CAP/TTP Forms) and $6 for pizza afterwards.