Author Archives: Etienne Ruedin2

Browser manufacturers shorten certificate lifetime to one year

From September onwards, HTTPS certificates may only be issued for a maximum of one year.

Reading time: 1 min.

CAcert will adapt the free certificates

The maximum validity of certificates for proof of identity on the web will be further reduced – in the next step to one year. Although a vote on this issue in the CA/Browser Forum failed in September due to resistance from the certification authorities, it is still being discussed. But in March Apple came forward and declared that Safari will only accept certificates issued after September 1, 2020 if they are not valid for more than one year.

Now Mozilla and Google are following suit and creating facts. In the past, terms of 5 years were not unusual. Currently, certificates may still be issued for 2 years (more precisely: 825 days — i.e. plus some grace period). With the renewed tightening, Chrome, for example, delivers an ERR_CERT_VALIDITY_TOO_LONG if a certificate was issued after September 1, 2020 and is valid for more than 398 days.

Revocation broken

The main reason for the constant shortening of the certificate lifetime is the fact that there is no generally functioning revocation mechanism by which a certificate could be revoked. Revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) have proven to be unsuitable and are now switched off by default.

The browser manufacturers still maintain their own internal revocation lists, which they can use to react to acute incidents. But this is a quasi manual procedure that can only cover significant problem cases. Ultimately, the browser manufacturers are now focusing on damage limitation: if, for example, the secret key of a certificate is stolen, an expiration date that is approaching as soon as possible should solve the problem.

No need for action for users

Lets Encrypt, which meanwhile dominates the market, is the pioneer and only issues certificates for 3 months anyway. Renewal is then automated via ACME. According to Mozilla, however, the other certification authorities have also agreed to only issue certificates for 398 days from September 1. In view of the demonstration of power of the browser manufacturers, they probably don’t have much choice.

As a web site operator, you don’t have to do anything else – even if you still have a certificate with a longer validity in operation. The new rule only applies to certificates issued after September 1, 2020.

Les fabricants de navigateurs ramènent la durée de vie des certificats à un an

À partir de septembre, les certificats HTTPS ne peuvent être délivrés que pour une durée maximale d’un an.

CAcert adaptera ses certificats

Temps de lecture: 1 min.

La validité maximale des certificats pour la preuve d’identité sur le Web est encore réduite – dans l’étape suivante à un an. Un vote à ce sujet au sein du CA/Browser Forum en septembre a échoué en raison de la résistance des autorités de certification. Mais en mars, Apple s’est manifesté et a déclaré que Safari n’acceptera les certificats émis après le 1er septembre 2020 que s’ils ne sont pas valables plus d’un an.

Aujourd’hui, Mozilla et Google suivent le mouvement et créent des faits. Dans le passé, des mandats de 5 ans n’étaient pas inhabituels. Actuellement, les certificats peuvent encore être délivrés pour 2 ans (plus précisément : 825 jours — c’est-à-dire plus un certain délai de grâce). Avec le nouveau resserrement, Chrome, par exemple, délivre un ERR_CERT_VALIDITY_TOO_LONG si un certificat a été délivré après le 1er septembre 2020 et est valable plus de 398 jours.

Révocation cassée

La principale raison de la réduction constante de la durée de vie des certificats est le fait qu’il n’existe pas de mécanisme de révocation généralement opérationnel permettant de révoquer un certificat. Les listes de révocation (CRL) et le protocole OCSP (Online Certificate Status Protocol) se sont révélés inadaptés et sont désormais désactivés par défaut.

Les fabricants de navigateurs tiennent toujours leurs propres listes de révocation internes, qu’ils peuvent utiliser pour réagir à des incidents graves. Mais il s’agit d’une procédure quasi manuelle qui ne peut couvrir que les cas problématiques importants. En fin de compte, les fabricants de navigateurs se concentrent maintenant sur la limitation des dommages: si, par exemple, la clé secrète d’un certificat est volée, une date d’expiration qui approche le plus tôt possible devrait résoudre le problème.

Pas de nécessité d’action pour les utilisateurs

Lets Encrypt, qui domine entre-temps le marché, est le pionnier et ne délivre de toute façon des certificats que pour 3 mois. Le renouvellement est ensuite automatisé via ACME. Selon Mozilla, cependant, les autres autorités de certification ont également accepté de ne délivrer des certificats que pour 398 jours à partir du 1er septembre. Compte tenu de la démonstration de puissance des fabricants de navigateurs, ils n’ont probablement pas beaucoup de choix.

En tant qu’exploitant de site web, vous n’avez rien d’autre à faire – même si vous disposez toujours d’un certificat d’une durée de validité plus longue en service. La nouvelle règle ne s’applique qu’aux certificats délivrés après le 1er septembre 2020.

Change in the Committee

Frédéric Grither from France has resigned as treasurer of CAcert Inc. However, he will continue to offer his expertise and experience as a member of the CAcert finance team. On 13 February 2020, the Committee (Board) was able to fill the vacancy by electing Christophe Meesters from Belgium to the Committee. Christophe is a proven financial expert.

Bret Watson from Australia is now also supporting us in the finance team, particularly with regard to Australian issues. The board is very grateful to know that the finances of our fellowship are in good hands and that we have managed to spread the work over several shoulders.

Soziale Netzwerke im Kinderzimmer

Soziale Netzwerke sind schon längst im Kinderzimmer angekommen – immer jüngere Kinder nutzen sie. Influencer auf Plattformen wie Instagram oder YouTube begleiten unsere Kinder im Alltag. Da stellt sich einmal mehr, wie Eltern oder auch ältere Geschwister damit umgehen sollen.

Anlässlich des heutigen Safer Internet Day (SID 2020) fordert Youtuber Robin Blase mehr Medienkompetenz. CAcert erarbeitet zur Zeit entsprechendes Unterrichtsmaterial.

CAcert Event in Staffordshire – 11th Feb 2020

CAcert Event in Staffordshire - 11th Feb 2020 at Keele University

CAcert Event in Staffordshire – 11th Feb 2020, 7pm

Good news: There will be a CAcert event in the United Kingdom!

The CAcert event will be on the 11th February 2020. The main talk will begin at 7pm, the doors will be open for earlier arrivals from 6pm onwards.

The CAcert Event will be at the StaffsLUG Workshop, Internet Central, Innovation Centre, Keele Science Park, ST5 5NB, Newcastle-under-Lyme/Stoke-on-Trent, which you can find details (and maps of) of at this URL: https://staffslug.org.uk/events/

All users of any OS are welcome to come along! Disregard the fact that StaffsLUG are helping to host it!

You should be able to find details of the event at this other URL which is our calendar: https://staffslug.org.uk/calendar/

But essentially it’ll cover…

  • An introduction to CAcert from one of their UK volunteers Alex.
  • We’ll also cover SSL in general for anyone unfamiliar.
  • Time for assurances (for free certificates with CAcert, you’ll need this), to participate in this you’ll need to bring some form of ID as mentioned here (e.g. Passport and Driving License).
  • We’re being joined by people from CAcert and existing users of CAcert who’ll be able to help issue points during the assurance part.

If anyone has any further thoughts about things we should be considering for the event and/or things you like to see covered. Let us know! For the latest details, see our UK mailing list: https://lists.cacert.org/wws/info/cacert-uk

New Committee constituted

The constituent meeting of the comittee took place on December, 23rd 2019. At this meeting, Sascha T was given a warm welcome. Furthermore, strategic issues were discussed and offices were allocated within the board.

Brian M will remain president, Peter N vice president and Etienne R secretary. The office of treasurer will be filled definitively in the coming weeks.

Deutsch: Am 23. Dezember 2019 hat die konstituierende Sitzung des Vorstandes stattgefunden. Dabei wurden strategische Fragen erörtert und die Ämter innerhalb des Vorstandes verteilt.

Français: La réunion constitutive du comité a eu lieu le 23 décembre 2019. Lors de cette réunion, des questions stratégiques ont été discutées et des bureaux ont été attribués au sein du comité.

Deutschland ist wieder im CAcert-Vorstand vertreten

An der Generalversammlung wurde die Jahresrechnung 2018/19 genehmigt und der Vorstand im Amt bestätigt. Infolge Rücktritt konnte ein Sitz neu besetzt werden. Mit Sascha T ist Deutschland wieder im Vorstand vertreten. Das macht durchaus Sinn, ist doch die CAcert-Gemeinschaft in diesem Land sehr stark.

English: At the General Meeting, the annual accounts for 2018/19 were approved and the committee was confirmed in office. As a result of resignations, one seat could be newly filled. With Sascha T, Germany is again represented on the board again. This makes sense, as the CAcert community is very strong in this country.

General Meeting 2019 – save the date!

CAcert’s Annual General Meeting 2019 will be held on Saturday, 30. November 2019, 20:00 UTC = Sat 21:00 Central Europe* = Sat 15:00 NY* = Sun 07:00 Sydney*…..

20:00 GMT / 20:00 UTC / 21:00 CET (Berlin/Zurich) / 15:00 EDT (New York) / Sun 1.12.2019 07:00 AEDT (Sydney)

Further information will follow.

see https://wiki.cacert.org/AGM/Next

Thank you so much!

Our treasurer tries to owe donations personally. Now we have learned from our German support association secure-U e.V. that many European CAcert supporters have made use of the possibility to transfer donations directly to their bank account. Also a big thank you to all these donors, even if we don’t know them by name!

Herzlichen Dank!

Unser Kassier bemüht sich, Spenden jeweils persönlich zu verdanken. Nun haben wir von unserem deutschen Unterstützungsverein secure-U e.V. erfahren, dass sehr viele europäische CAcert-Unterstützer von der Möglichkeit Gebrauch gemacht haben, Spenden direkt auf deren Bankkonto zu überweisen. Auch all diesen Spendern ein herzliches Dankeschön, auch wenn wir sie nicht namentlich kennen!