Category Archives: Information

General news/information to the CAcert community or about security in general

Servers Moved (comments from audit)

Leave a reply

The CAcert critical services are now running on machines in the Netherlands.  This involved shutting down the machines in Vienna, transporting the data to Netherlands, handing over to a new team, and bringing the data up in the new location.

Names and places of the running systems will be mentioned elsewhere no doubt, but our thanks go to two groups in Vienna:  Funkfeuer and Sonance.  These two community groups provided the help when it was needed, and now they stand down from operational support to CAcert, retaining only a mention in the history (and, of course, many future Assurances).

BIT colo cam 4 ... not sure this is the right oneTo look at the audit context:  Although I was there, this move was not an audited, officially monitored operation;  this is because (a) the audit was frozen back in December of 2006, partly because of the difficult systems issues, (b) we still lack the full documentation set against which to audit, (c) the new team are focussed on getting basic control, and are not ready for dual control.  Also, always remember to view the auditor presence under the Heisenbergian lens of skepticism! It is your job to check the move and make it safe.  The auditor makes sure you are doing the job, so that we can all rely on the job being done each and every time.

Once we get a declaration that things are under control, the team expands its vision from the brutal short-term needs, and starts on its impressive task list, we will look at getting the audit formally restarted.

Still, that all said, the big job has been done, and done well.  The systems are now in place in the BIT high security ISP, and the new team is doing the work-through.  That will take place over the next few weeks.  At some stage, the new team will then be looking to carve up the work and bring in new people.  This latter expansion will be handled carefully, but it is necessary.  Think about that…

You can help in two ways.  One, take load of the systems people by helping in support, software and a myriad of other tasks.  Two, getting the CPS into DRAFT by answering the two blocking challenges.  Over to you!

CAcert 2008 Annual General Meeting

Leave a reply

To all Association Members and interested Community Members.

The CAcert Annual General Meeting will be held on the 7th of November 2008 at 23:00 UTC via IRC CAcert channel.

Any persons believing that they are an Association Member but have not paid membership fees please contact the CAcert Treasurer. Any persons wishing to become an Association Member please get your applications in now. Voting rights will only be given to fully paid up Association Members.

Any Association Members that have not paid their membership fees for three years will automatically be removed from the Association Membership Register.
Draft Agenda:

  • Opening
  • Minutes from 2007 AGM
  • Minutes from SGM in spring
  • New Association Member nominations
  • Financial report
  • Report on re-hosting CAcert services in Nld
  • Report on the Audit Project
  • Election of new board for next year.
  • Public Officer appointment
  • Close of meeting.

day 3

Leave a reply

* rehosting day 3 CRday banner

Systems team visited the Ede BIT center to create backups and install a new drive. Systems are now passed over from old team of Philipp to the new team of Mendel and Wytze. The new team has a full book of work ahead of it and will be looking favourably on any locals who could help.

Root team has created trial keys but did not attempt a real root due to concerns over entropy and precise sub-root configuration. Current plan is to sort out these issues and re-convene end of November. This is not a blocking task.

At seven, the completion event took place at 'Planken Wambuis'. During a delicious dinner, the things happened in the last few days were spoken through and the things still to be done were mildly discussed. Around 22.30 the party broke up and went home.

day 2

Leave a reply
* rehosting day 2 CRday banner

The second day was mainly testing and making preparations for the rootkey ceremony.
A bug has been found in openSSL which blocks the rootkey creation on friday.

day 1

Leave a reply

* rehosting day 1 CRday banner

On 9:06h CET on wednesday, the team arrived at BIT, the Dutch ISP. They started with Opening the sealed disks under the watchful eye of the auditor and one person from the Dutch ISP. Around 12:00h The servers were booted and the data integrety was checked. At 13:32h The servers were running.
The Team is now smoothing out the last glitches, doing extensive tests and are monitoring the servers closely. It's still possible to have some outages in the coming days.

We got some questions by mail regarding the SSL keys and the (possible) debian vulnerability.
There are blacklists of sites who may have this issue. Unfortunately, the off-line page was also on this list.
After investigation, it turned out the off-line page was running on a computer which was booted with an older live-cd containing the bug.
Since it was a single static page, no harm is done. Our on-line site has different keys and it's verified that these ssl keys are ok.
CAcert apologises for this inconvenience.

Rehosting: Travel day

Leave a reply
* Travel day CRday banner

The servers were shut down around 8:00h CET on tuesday and a temporary page is set up for the off-line period.
After the disks were removed and sealed under the watchful eye of the auditor and one person from the Austrian ISP, The Vienna team started on their about 1100km trip to the Netherlands and arrived late in the evening.

Rehosting: Last preparations

Leave a reply
* Preperation day CRday banner

Yesterday, 26th of September, The website was down for a brief period around 7PM CET.
An extra disk was added to the server for backup purposes.
The final backup will be made on monday around 7PM CET.

This is the first blog entry where CAcert informs the users on the progress of the rehosting of the critical servers.

CAcert Server transfer and downtime.

Leave a reply

cr-day_banner1.jpg

As you may have read in previous blog entries, CAcert are moving the last servers from Austria to the Netherlands. These servers are the mission-critical systems. This is done to comply fully with the very strict security rules that are in place for inclusion into mainstream browsers. The Netherlands location is planned to host the servers in a full dual control and 4 eyes environment, at both physical and logical levels. As an audit requirement, this is essential for balancing the security of certificates. Also, some internal protocols will have to change due to hardware issues.

The systems will have a short shut down on Friday evening, 26th at 19:00 for a brief period for backups. The servers will be shut down from 07:30 Tuesday morning, 30th September. We have blocked-out the period September 30 to October 4 for the project. Hopefully, we will not be down for that entire time, but because of the size of the project it is best to plan on at least 2 days downtime. During the downtime, an alternative page and the blog will show the progress on the moving. The blog, e-mail list and wiki will be available since they are already hosted at the new location in the Netherlands. During the downtime, no Account changes can be made, nor new Certificates or Assurer actions can be done. Please be aware of that downtime period. CAcert will inform all Members via the blog as soon as the Services are again up and running. More details are found on the wiki.

An international team of experts will be working on this relocation project. As well as our CAcert systems people, we will be supported in the Netherlands by people from BIT (ISP), Tunix (firewalls) and Oophaga (CAcert hosting in NL). In Austria, we will be supported by Funkfeuer (ISP) and Sonance (Verein). Should any problem arise during the move, the team will tackle them there and then.

If the servers are moved succesfully, we will be back on track with the audit and CAcert can move on. If CAcert does not relocate the servers, or fails to do so, it will have severe consequencies for CAcert. In such a case the chance to pass the audit and ability to achieve RootKey inclusion in the mainstream browsers will fail. The Austrian servers will be shut down permanently.

At the Annual General Meeting of CAcert Inc. on 7th of November, a report will be made to the Association Members and if needed decisions for the future will be taken.

update:

The Backup date will be on Monday, 29th (19h CET).

AR.20080902.A1 CPS issues: 2 bugs

Leave a reply

One side issue relating to the earlier post: in order to release funds for the critical systems work, we will need to sort out the CPS quickly.  There are two blocking questions that need to be fixed, so I’ll list them here for all to think about:

CPS Bug #1: Assurance is now on a good footing with the DRAFT Assurance Policy, and we can state with some confidence that CAcert does a good job at identifying people within the community.

But, there is a bug:  the certificates with names do not always use Assured Names.  Specifically, in the Organisations, there is no compelling reason to use Assurance information or anything else to name people.  So, Members are faced with a “name” that is either strongly Assured, or worthless, or somewhere arbitrarily in-between.

How are you to tell the difference?  Perhaps by further looking in the certificate, but forcing people to investigate every certificate to figure out detailed issues makes a mockery of the process, and of the Assurers.

Let’s put it to you:  Should the Name in the certificate (specifically, the CommonName or CN field as shown by software) be

  1. always Assured?
  2. always strong through some other mechanism, either Assurance or elsewise?
  3. sometimes be Assured, sometimes unknown, like now?
  4. be entirely variable at the discretion of the person?

All of these choices have merits.  For example, the last one looks odd, but is maybe OK, if we recall that all certificates will identify the Member through the serial number.

What do you think?  Over on the policy group, a choice will have to be made somehow, so dive on over there and help.

CPS Bug #2:  The domains and email addresses placed in certificates are only ping-tested once, when added.  Over time, various changes and problems can occur, such as transfer, expiry, loss, etc, so this is not good.  Something has to be improved.  The question is, what?  There are these possibilities that I have seen so far:

  • frequent or regular ping checks on email addresses,
  • automatic revocations on domain expiry or transfer,
  • a change made to a website through HTML text or headers, etc, to show control,
  • a change made to DNS records to show control,
  • a change made to Registry records to show ownership or delegation of control,
  • a statement of ownership or control made to CAcert in the online system,
  • or?

Probably, we need some combination of 2 or more of the above, because some of them will be hard for people to do.  As before, check in on the policy group to express your opinion.