Category Archives: Information

General news/information to the CAcert community or about security in general

CAcert Assurer Training Event Essen, Dienstag 28. Sept 2010

Leave a reply

Dutch and English translation you’ll find below

[Deutsch] CAcert Assurer Training Event Essen Unperfekthaus Essen

Es hat sich viel getan im letzten Jahr. Eine ganze Reihe von bisher eher “mündlich überlieferten” Regeln wurden in Policies gegossen. Neue Prozeduren (z.B. die Assurer Challenge) und Verpflichtungen (z.B. in dem CAcert Community Agreement) wurden beschlossen. Die Assurer Training Events wollen versuchen, die ganzen Informationen unter’s Volk zu bringen:

– Was hast du auf dem CAP Formular hinzuzufügen, wenn du Minderjährige überprüfst ?
– Was sind die 2 wesentlichen Punkte der CCA die du einem Assuree vermitteln können sollst ?
– Unter welchen Umständen können z.Bsp. niederländische Rufnamen akzeptiert werden?
Continue reading

root certificates under free license, RDL

Leave a reply

The CACert policy group proudly announces the new Root Distribution License (RDL)[1], which grants the distribution of CACerts root certificates by non related parties. RDL is a free/libre compatible license to allow unrelated vendors and/or distributors to distribute CACert’s root certificates to their users.

CACert confesses itself to interoperability with free and open projects. The CACert website is soon to be updated to reflect the new RDL.
A distributable source package can be found here [2]

[1] http://www.cacert.org/policy/RootDistributionLicense.php
[2] http://sspreitzer.fedorapeople.org/ca-cacert/

~sspreitzer

One Milestone in Software-Assessment-Project reached

Leave a reply

Within the last week we’ve reached one milestone in our new Software-Assessment-Project.
The team is working since November 2009 on a new Software Repository and a new Testserver.
The Testserver needed a Testserver Mgmt System to set the environment for testing new Software and Patches for the Webdb system.
Continue reading

scheduled systems downtime – 15th June

Leave a reply

Wytze reports on a planned outage for CAcert main systems, as the systems are moved from one rack to another:

“The move has been scheduled for Tuesday June 15, starting at 10:00 CEST, and hopefully ending before 18:00 CEST.

During a significant part of that period, all systems will be down. We will take care of providing a backup during the outage for ocsp.cacert.org (to avoid inconveniencing browser users which have OCSP enabled for CAcert, as they should!), and a placeholder for www.cacert.org which report the downtime and the reason for it.”

Community 2010 March Update

1 Reply
  • 2010-03-30 New Roots task force offers SHA2 based roots/end user certificates for testing
  • 2010-03-30 Software-Assessment Project telco 2010-03-30
    • GIT as the future Software Assessment repository passed test successful
    • Testserver needs Testserver Management System, action plans triggered to start a deployment
  • 2010-03-27 Walter Güldenberg appointed as Events Team Leader
  • 2010-03-26 Sysadmin team works out way forward for SNI, client certificate authentication and SSL renegotiation changes in browsers
  • 2010-03-26 Security Policy – Board vetos Security Policy Draft regarding point 9.1.4.2. Coverage – Board sighting conflicts with CAcert incorporated rules
  • 2010-03-25 Ongoing update of CAcert Officers list
  • 2010-03-24 First ATE in 2010 season: ATE-Sydney with 6 co-Audited Assurances and addtl. 14 interested Attendees
    • Discussions through email and irc about how to seed CAcert deserts. Plans for contacting Usergroups (existing IT related social networks)
    • mostly, area has many old SuperAssurers that will have faded away
  • 2010-03-21 Board Meeting 2010-03-21 “Determine Root escrow and recovery mechanism” review ends with no consensus
  • 2010-03-18 Rasika Dayarathna, our Privacy Officer, resigned due to lack of time. Looking forward to rejoining us later.
  • 2010-03-14 Boards Projects Overview Page started deployment
    • with this page, Board and also Community can get a better overview over the running and upcoming projects regarding Audit
    • currently active areas/projects:
  • 2010-03-13 Board Members allowed to serve on arbitration team again
  • 2010-03-06 Daniel Black gets appointed as Infrastructure Team Leader
  • 2010-03-06 Efficiency gain – Policy Officer empowered to perform minor adjustments to policy
  • 2010-03-06 CeBIT 2010 Big Assurance Event successful passed after 5 days with a team of about 8 to 12 and more Assurers. CAcert was one of the 15 projects on the booth at the Open Source Project Lounge sponsored by Linux New Media.
  • 2010-03-03 Co-Audited Assurances Program finalized and starts at CeBIT 2010

Contributions to this Community Update by: Ian, Daniel, Uli

What’s this ATE thing then???

5 Replies

You have probably seen messages flying around about the ATEs, or Assurer Training Events, and you’re probably wondering whether it applies to you. The answer is:

YES, most definately, if you are an Assurer.

This is your event, to update and to participate. More than that, it feeds into audit. This connection may be a little non-obvious, so this post is about explaining it to those wavering on their path to an ATE near them as to why you should help.

Recall that CAcert has today 3460 (and growing) Assurers around the world, and that they provide the critical information feeding into the certificates for the entire community.

That line — from Community Member to verification of information to the certificate — is of key interest to the Auditor. The certificate part is well-understood but what is less well understood is the verification part. How does the Auditor verify the actions of 3460 people spread across dozens of countries? Are they doing the job? Looking after Members? Mostly harmless or causing risks to rise?

Assurers mostly harmless?Verifying the Assurers across the planet is a challenge we must conquer, because our audit criteria says “A.2.y The CP details how the CA verifies that [Assurers] operate in accord with the CA’s policies.” Indeed, the auditor for a big famous-name CA simply declined to audit their web of trust, and the CA found it in its heart to drop the entire thing.

But it can be done. As auditor, I visited around 8 countries in 2009 for a tiny budget of €1500 and verified personally around 80 Assurers. The German community did a similar thing across Germany, and together these results gave us a good showing. It was still marginal; we need better and broader coverage. We need scaleability and we needed process, but we had our start.

From the 2009 experiment, the Assurance Team has designed a comprehensive programme to meet the audit criteria A.2.y, and the ATE is the leading part of that. At the Assurer Training Event, you the Assurer are brought up to date with changes (dramatic), informed on essential checks (of course) and then we individually record that process (carefully and slowly). All this is then collated and prepared for an end-of-season report.

The 2010 season is now underway. If you want to help CAcert’s audit process and improve on the results below, you should look out for an ATE near you. Who wouldn’t want to be involved??? Better yet, ask at events@c.o for how to run one.

2009 results

ATE-Sydney

Leave a reply

ATE-Sydney is programmed! Masa has made available a lecture theatre at Sydney University’s IT school for an ATE on evening of 24th March, 6:00pm. More details on the wiki.

I will attend ATE-Sydney!

The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute. Please RSVP as above.

Other events in NSW coming soon, or mail me with suggestions.