Auch dieses Jahr ist CAcert mit einem Informationsstand auf der FrOSCon vertreten (Sankt Augustin 23.- 24.08.2008). Interressierte, Assurer und welche, die es werden möchten sind herzlichst dazu eingeladen den Stand zu besuchen und sich ggf. vorher unter http://wiki.cacert.org/wiki/FrOSCon2008 einzutragen um den Platz entsprechend bereit zu halten.
Die FrOSCon bietet auch dieses Jahr wieder eine große Auswahl an Themen aus dem Bereich Freier Software und Open Source. Das Programm ist online unter http://programm.froscon.de abrufbar.

CAcert certificate issuance with unverified arbitratry email addresses

Overview
The CAcert issuance of certificates had a vulnerability that permitted an attacker to add arbitrary email addresses without verification.

I Description
Issuance of certificates is by means of login to a webpage by Members. After authenticating the Member, she is offered a choice of certificates, with a choice of pre-verified email addresses.
In the POST response to that choice, there is insufficient checking on the paramaters supplied, and it is possible to add multiple additional email addresses that are not pre-verified.

The specific failure is use of register_globals and insufficient paramater testing.

II. Impact
A Member may add email addresses from a limited range of TLDs (Japan only has been verified).

III. Solution
The paramater checking has been fixed. Register_globals is now turned off in the test system to explore side effects. Operational software will follow
soon.

Systems Affected
Only Japan TLD addresses may have been affected. There is no indication that any prior issued certificates with Japan TLD email addresses are other than valid.

This is a Member-reliance issue only. Any disputes will be filed in CAcert’s internal Arbitration forum.

Vendor Status Date Updated
CAcert Fixed 14th of August 2008

References
bug report
Kriss his blog

Credit
CAcert credits Kriss Andsten for reporting this issue.

CAcert, Teus Hagen

Das erste BarCamp in Stuttgart wird am 27. und 28. September 2008 im Literaturhaus Stuttgart und den Räumen der MFG stattfinden. Hier wird es auch die Möglichkeit der CAcert Assurance geben.
Weitere Infos auch unter http://wiki.cacert.org/wiki/BarCampStuttgart2008

A week or so ago, the policy group pushed the Assurance Policy into DRAFT, which means according to PoP that it is now binding on the community.  To all the Assurers out there, this is your policy!

You should take a moment to have a look at it.  As it is in DRAFT, there is room for change, although each change will need to be voted through in the policy group.   You will see its evolution in the striking and bolding of parts.  Also be aware of the Assurance Handbook, which is where most of the daily practice will end up.  Now that there is a policy, the Handbook should also evolve more clearly and more rapidly.

The Assurance Policy establishes many things that in the past have been unclear or subject to variation.  Here’s a brief list of some changes:

1. The general standard of a Name is that it is as written on a government-issued photo ID.  It should be recorded as fully as possible.
2. However, because there are many variations in real life, multiple names will be possible.  That is, the online system will have a new feature added to it to add extra names, each requiring full Assurance independently.  When that is done, this will address the difficulties that people have with different documents, transliterations, married names, middle names and initials, etc.
3. We’ve always encouraged Assurers to assure each other mutually, and this policy goes one step further:  it encourages non-Assurers to also assure you, under your supervision.  That is, when assuring a Member, you take the Member through the process of Assurance as if she were an Assurer.  You advise her on the steps, and encourage her to allocate 0,1,2 Assurance Points to you according to her judgement.  Be strict, it is better for her to allocate zero points to you to get used to the idea of assessing Name and other issues. You keep the forms, and when we get the system changed, you will enter in her points. Mutual Assurance will help us in the future:  It has the benefit of equalising the relationship, explaining the whole process, preparing the junior Member for the role and responsibilities of Assurer, and also identifying who you are to her.  As you the Assurer will be responsible for the entire result, and it takes extra time, you can choose to do it or not.
4. As we now live in a world of Identity Theft, it is important for you the Assurer to protect the Members from harm.  In particular; false Assurances do happen, and could be used to acquire valuable information.  To this end, the Assurance Policy states:
   

   “A Member may check the status of another Member, especially for an assurance process…”

   In the future, we will need some way for you the Assurer to show you really are an Assurer.  How that is done is left up to the systems and management people; a future thought puzzle.

5. The final big change is that Experience is no longer to be reflected in the Assurance Points.  In the future, there will be a separate set of points, called Experience Points.  Each Assurance you conduct will earn you 2 Experience Points, as before.  Separating out the points to match their meanings gets rid of a lot of mental gymnastics.  Again, we have to wait until the software is done.

As you can see, there is more work to do!  The policy needs to be reviewed, improved and taken the final step to POLICY.  Until it goes to POLICY, you still have a chance of fixing or improving it, even though it is already binding on you, the Assurer.  And, the Handbook needs updating with the new Policy work.
Also, the account system needs to be updated to add these features:  multiple names, a new set of points for Experience, mutual Assurance, and perhaps some support for showing your status as Assurer.  This will take time, but help will make it go faster:  are there any PHP programmers who can help make those coding changes?

Heise has developed the SSL Guardian tool, which is able to detect compromised server certificates for all Windows applications that are using the CryptoAPI. To secure your windows machine for free, please head over to http://www.heise-online.co.uk/security/Heise-SSL-Guardian–/features/111039/