Category Archives: Information

General news/information to the CAcert community or about security in general

Software-Assessment-Project reached next milestone

Todays systemlog message marks the quantum leap in our about 10 months project work, to become the Software-Assessment area auditable.

As many Software-Updates are in the queue from the software developers, that needs testing and reviews by Software Assessors, the team started by end of last year with this project,

to build up a new ”controlled” testserver with authority by Software-Assessors
built up by the critical team as a Disaster Recovery testcase
a new central repository for all the upcoming software projects (including the New Software project BirdShack)
building a new test team running the software tests
and finalyze the process by a review of the patches by 2 Software-Assessors
document the patches, the testing, the review and the check by two Software-Assessors
to bundle the new Software-revision for transfer to the Critical team

The systemlog message signals, that the first tested and reviewed patches has received by the critical system webdb and is incorporated into production. A new tarball has been generated to build the next basis for applying the next patches.

So here my thanks goes to all the involved teams,

Software-Assessment-Project team
the new Software Testteam
the Critical Sysadmins team
and last but not least to the Software-Assessors from the Software-Assessment team

With all these people assistance, this project hadn’t be pushed to this milestone. Thank you Andreas, to build the project plan and the technical background, and also hosting the current testserver, Thank you Wytze for all your work to build the new testserver from scratch as identical as possible to the production server, to Michael, who assist us in deploying the new git repository and also assistance in deploying the Testserver-Mgmt-System, so everybody can start testing w/o the need of console access, Thank you Markus, for all your time and effort to deploy the repository and testserver environment and also your work together with Philipp as Software-Assessor, to finalyze the Software-Update-Cycle. Thank you Dirk for all your suggestions to move on with this project.

Some more work is todo:

adding a test-signer, so also cert related patches can be tested in the future (Andreas and Markus are working on this)
deploying a C(ontinous)I(ntegration) system for automated testing (Andreas is working on this).

Now the teams have to walk thru the list of open bugs, that needs to be pushed thru … First of all is the “Thawte” bug … to signal all users who’ve got their Thawte points transfered by the old Tverify program if they are effected by the points removal or if they are safe. The CCA-Rollout with a couple of patches, a list of new Policies and Subpolicies related patches (eg. PoJAM, TTP program), a list of Arbitration pushed patches, and so on …

So guys, lets have a party tonight, we’ve wiped out one of the biggest audit blockers!

The Big Masterplan to become Audit Ready

Leave a reply

Back in January 2010 the former Board decided by Board motion m20100117.3 “No new subroots on current root, plan for new root”. In the discussion a date was scheduled by end of Dec 31, 2010. On my 2nd thought, probably nobody did recognize, what that means, CAcert's Big Masterplan To become Audit Ready (01/2010) to finish all the projects from the bottom left corner at beginning of 2010 to the top right corner by end of the year with the “New Roots and Escrow” () process running. So this article should bring Audits mistery to light.

Policy Group worked on the last few essential Policies ( Policies on Policy Group ), that are essential for the Audit. One essential requirement for Audit is to Rollout the CAcert Community Agreement to all the members, so they can decide to continue or to leave the Community. To become “CCA Rollout Ready” (), the running Software needs to be updated. This opens the next problem: by starting 2010, there was no Software Update Process defined, nor documented. But we’re on the lucky side, the Software-Assessment-Project started November last year to fulfill this requirement (). The task was: To get a repository system controlled by Software-Assessment team, a controlled testserver environment and a documentation system. Currently the team tests the transfer of a test patch to the production system. Involved parties: Software-Assessment Project team, Software-Assessment team and the Critical Sysadmins team.

CAcert's Big Masterplan To become Audit Ready (10/2010)
CAcert’s Big Masterplan To become Audit Ready (10/2010)

In the meantime, another issue pop’d up: the “Thawte points removal” with a deadline of Nov 16th, 2010. We’ve allready posted several blog posts on this topic. So also this is related onto the Software-Assessment-Project progress ().

The next topic is running Assurer Training Events (ATE) (). ATE’s are an essential concept in the Audit over Assurance (RA) business area. To scale a worldwide community, the community has to assist Auditors work in doing Co-Audits over Assurers. The question: How to contact groups of Assurers was answered back in 2009 with the ATE concept. The purpose of ATE is twofolded: first to communicate to the Assurers all the new informations and second to do Co-Audits. As Assurers follows the invitations to the ATEs we can expect, that they are more active in the community. So also from 2009 ATE experiences, we’ve got new resources from the community by contacts on ATEs ( Get new resources ). So this was the plan for 2010 ATE season, to find more people, who can help on the several tasks and projects that needs to be finished, before the new Roots and Escrow project and also the Audit can be (re-)started. E.g.

Helping CAcert

we are searching Infrastructure Admins for the Non-Critical Infrastructure systems, all running on Unix. Familiar with system migrations for the big Infrastructure project to separate Non-Critical from the Critical systems (). This project is running about 2 years, but currently without progress.
we are searching for Software Developers (C++, Python, Java) for the New Software project BirdShack (), that was started last year, after Auditors review of the Software that concludes: „Serious difficulties in maintaining, improving and securing.” and „Cannot form conclusion over software.”, so if the plan to start with the Audit over the old Software fails, we’re close to the 2nd path: BirdShack.
we are searching for Audit consultants who can assists in the Audit next step CrowdIt disclosure system (read AGM – Audit Report 2010 – CrowdIt. CrowdIt, as a sort of wordplay on Crowd-Audit). CrowdIt is an emerging disclosure tool (based on the old DRC browser).
we are searching people, who can assist us in the funding project (), that becomes the ground base for the New Roots and Escrow project () that should be keep tracked by an Auditor, and the re-start of the Audit ( 1) and ( 2).

The New Roots and Escrow Project Relation to Audit

As said before, the New Roots and Escrow Project should be keep tracked by an Auditor. From the experiences back in 2008 on creating New Roots but fail on Roots Escrow, we’re warned to separate the Audit steps of the New Roots and Escrow Project () and the Audit over Systems ( Audit over Systems (CA) 2). Both tasks should be close together.

On the other side, we have to do an Audit over Assurance (Registration Authority, RA) ( Audit over Assurance (RA) 1). There is no requirement on bundling the RA Audit and CA Audit as both business areas have their own Policy sets and can be checked separately. This can make our work presumably easier. Easier to get Audit funding for Audit over RA. As Assurance area is closer to be Audit Ready, we can also signal to the Community Audit is back on track. This will probably push the other tasks. With a small budget we probably can double the result by getting new resources, “Hey, there is progress on the overall Audit task” – CAcert is back!

ATE-Essen Di Sept 28 – ATE-Aachen Mo Okt 4

Leave a reply

Die letzten Anmeldungen für das ATE-Essen im Unperfekthaus am Dienstag 28. September sind noch möglich.

Unverbindliche Anmeldung und Registrierung ATE-Essen:
Ich möchte am Event in Essen teilnehmen!

Details zum Veranstaltungsort und Anfahrthinweise findet Ihr im
Wiki: ATE-Essen im Wiki

Eine Woche darauf, am Montag 4. Oktober findet das ATE-Aachen Nachmittags zwischen 14 und 17 Uhr statt. Für die Abendveranstaltung haben sich leider nicht genügend Teilnehmer gemeldet, so das die Abendveranstaltung abgesagt werden muss.

Unverbindliche Anmeldung und Registrierung ATE-Aachen:
Ich möchte am Event in Aachen teilnehmen!

Weitere Infos zur Veranstaltung findet ihr im Blogpost ATE-Aachen Info
oder im Wiki Teilnehmer Listen ATE-Aachen und weitere Infos

New TTP-Assisted-Assurance to Draft – one more milestone in Policy!

Leave a reply

TTP-Assisted-Assurance to DRAFT This weekend, the Security Policy goes into DRAFT. Consensus has erupted in policy group once again.

The practicle work now can start, to write down all the documentation for the practice documents. Clean out the wiki with all the informations of the old TTP program and start spreading the new TTP-Assisted-Assurance to the CAcert deserts after the old program was frozen.

Who volunteers now to becoming the first TTP-admins ? As policy defines
Senior-Assurers to be the TTP-admins and the first new TTP requests will come soon probably
we have to deploy the policy now into practice. Thats again a Community Task. We need at least 3 TTP-Admins as following graphic displays:

             TTP ----:--> TTP-Admin (1) --> 35 points max
                 /       :         \
   Assuree =  -  -  :-  >      =----> TTP-Admin (3)  --> 35 points max (Topup)
                 \       :         /
             TTP ----:--> TTP-Admin (2) --> 35 points max
                         :........ CAcert internal ................................................

TTP-Admins should become familiar with the TTP’s available in a country of the TTP requestor so the program gets a strong path of reliance. One idea is to work close together with Organisation Assuers, who are familiar with the regulations in a country but its not limited to. These are only thoughts.

Call for Vote that the TTP Assisted Assurance Policy be approved to DRAFT

Leave a reply

CAcert Vote TTP Assisted Assurance Policy be approved to DRAFT After 9 months of develoment, deployment, rewriting, discussions, talks its now time to finalize the hard work with an approval to Draft – the reinstallation of the yet frozen, former TTP program by the new TTP Assisted Assurance Policy
Continue reading →

ATE-Aachen Okt 4, 2010 – Veranstaltungen: 14-17 (I) und 19-22 (II)

Leave a reply

Wir haben uns dazu entschlossen zwei ATE’s in Aachen anzubieten. Eine am Nachmittag, eine am Abend. Beide Veranstaltungen haben den gleichen Inhalt. So das jeder, der an dem Event teilnehmen möchte sich für die Nachmittag- oder Abendveranstaltung entscheiden kann.
Continue reading →

CAcert Assurer Training Event Essen, Dienstag 28. Sept 2010

Leave a reply

Dutch and English translation you’ll find below

[Deutsch] CAcert Assurer Training Event Essen

Es hat sich viel getan im letzten Jahr. Eine ganze Reihe von bisher eher “mündlich überlieferten” Regeln wurden in Policies gegossen. Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B. in dem CAcert Community Agreement) wurden beschlossen. Die Assurer Training Events wollen versuchen, die ganzen Informationen unter’s Volk zu bringen:

– Was hast du auf dem CAP Formular hinzuzufügen, wenn du Minderjährige überprüfst ?
– Was sind die 2 wesentlichen Punkte der CCA die du einem Assuree vermitteln können sollst ?
– Unter welchen Umständen können z.Bsp. niederländische Rufnamen akzeptiert werden?
Continue reading →

CAcert auf der FrOSCon 2010 (Sa 21. + So 22. Aug)

Leave a reply

Wie jedes Jahr nimmt CAcert auch auf der diesjährigen FrOSCon in St.Augustin (bei Bonn) als Aussteller teil. Interessenten können sich Assuren lassen. Ebenfalls findet auch wieder eine Keysigning Party statt.
Continue reading →

Community Update July 2010

Leave a reply

July 2010 was full of activities. Two Board members resigned. New procedures for Assurers were updated. And the Software-Assessment Project reaches one milestone.
Continue reading →

root certificates under free license, RDL

Leave a reply

The CACert policy group proudly announces the new Root Distribution License (RDL)[1], which grants the distribution of CACerts root certificates by non related parties. RDL is a free/libre compatible license to allow unrelated vendors and/or distributors to distribute CACert’s root certificates to their users.

CACert confesses itself to interoperability with free and open projects. The CACert website is soon to be updated to reflect the new RDL.
A distributable source package can be found here [2]

[1] http://www.cacert.org/policy/RootDistributionLicense.php
[2] http://sspreitzer.fedorapeople.org/ca-cacert/

~sspreitzer