Bigger and Badder! The Fifth Annual Southern California Linux Expo is coming! It will be February 10-11, 2007, at The Westin Los Angeles Airport. Due to year over year growth, we’ve moved the Expo to a new location which will allow us to expand. We’ll have more speaker tracks, and more tutorials designed to show users of all skill levels what Open Source can do. And SCALE 5x will offer more booth space for those interested in showing how they have made Open Source work for them. You will again be able to find assurers in attendance this year.
Category Archives: Information
Potential system down time
Over the coming weeks, CAcert will be moving its systems from our current co-location in Sydney, Australia, to hosting over multiple sites in both the Netherlands and Austria.
During the migration, there will almost certainly be some outages of various services, ranging from a few minutes to a few days as we undertake this mammoth task. We hope to minimise all disruptions, and priority will be given to mission critical infrastructure such as the OSCP responder and CRL lists.
Updates to the migration, and as much possible advance warning of any downtime will be posted to the CAcert website, and where possible also posted to the cacert-users mailing list.
I would like to extend a personal thank you for everyone’s dedication and continued support for CAcert.
Early in the new year, the legal entity CAcert, Inc. will be having its annual general meeting, and a formal announcement of the date, and notice of the meeting will be published soon.
CAcert on the ChaosCommunicationCongress 2006 in Berlin
CAcert auf dem Chaos Communication Congress 2006 (23C3) in Berlin
english readers please read below
CAcert wird auch dieses Jahr wieder auf dem diesjährigen ChaosCommunicationCongress zwischen den Feiertagen vom 27. bis 30.12.2006 vertreten sein und wird hier kostenlose Assurances anbieten.
Interessenten sollten sich zunächst kostenlos (wenn nicht schon geschehen) einen Account bei CAcert.org anlegen (falls dies nicht vor dem Congress möglich ist geht dies auch zeitnahe nach der Veranstaltung); notwendig hierzu sind neben dem Namen lediglich eine gültige E-Mail-Adresse und ein möglichst sicheres Passwort. Am Stand kann nun dieses Benutzerkonto verifiziert und die dazugehörige Person identifiziert werden. Für diesen als “Assurance” bezeichneten Vorgang ist jedoch die Vorlage mindestens zwei gültigen Ausweisen, eines davon sollte in amtlicher Lichtbildausweis (z.B. Personalausweis oder Reisepass) sein, die dann am Stand überprüft und verifiziert werden. Nach erfolgter Überprüfung erhält jeder Benutzer Punkte, die seine Vertrauenswürdigkeit widerspiegeln. Zum einen kann ein so assurter Benutzer im internen Bereich der CAcert-Website selber beglaubigte Zertifikate ausstellen, aber auch über ein “Web of Trust” Punkte an andere Benutzer vergeben.
Assurer, Interressierte und Besucher können sich gerne unter http://events.ccc.de/congress/2006/CAcert über den aktuellen Stand informieren sowie sich als Helfer eintragen.
english version:
CAcert will be represented on this year’s ChaosCommunicationCongress between the winterholidays from 27th to 12-30-2006 this year and will here offer free CAcert Assurances. Interested parties should join thisbefore, also contemporary goes after the event lay out an account at CAcert.org free of charge next to themselves (if not happened already; if this isn’t possible before the Congress); merely a valid electronic mail address and a password as safe as possible are necessary to this besides the name. This user account verified and the necessary person can be identified at the booth now. For this process described “as an Assurance” the presentation is, however, at least two ID-Cards one should of this into be an official transparency card (e.g. identity card or passport), this would be checked and verified at the booth valid cards. After check having been carried out every user gets points which reflect his trustworthiness. On the one hand, a so assured person can issue certificates certified in the internal area of the CAcert web site but allocate points to other users also over a “web of trust”. Assurer, interrested people and visitors are welcome to ask under http://events.ccc.de/congress/2006/CAcert about the current stand as well as put down their name as a helper.
updated CAcert Privacy Policy
The CAcert Privacy Policy was updated. Joined newly to the Policy are the privacy of the issued certificate and the data accessible to Assurers is defined more exactly now.
The whole Privacy Policy could be found under: https://www.cacert.org/index.php?id=10 or as usual at the bottom of each webpage of cacert.org.
Mozilla, Opera and co only tout open standards as it suits them
With the advent of the CABforum as a trade group for commercial CAs designed to keep everyone out that isn’t looking to make a big buck out of others you’d think the browsers with their cries of standards and openness so they don’t get locked out by Microsoft wouldn’t be so quick to jump on this band wagon, but the complete opposite is true.
So what should we do as users, well as one person pointed out they plan to boycott all Microsoft products that contain additions to their software that supports EV certificates but we can do much more then that. Remember the only ones to benefit from this are large commercial CAs such as Verisign, and browsers via kick backs, although it seems Verisign has spun this so well they won’t need to pay anyone a cent.
This will effect the 99% of small businesses (or even medium sized business) that can’t justify spending the big bucks to get EV certificates, it will effect partnerships, sole traders and even in most cases Universities. If you ever expect to get an EV cert and you’re not a bank or big company, well forget it, even if you had the money to cover it, the standard is set so high that you wouldn’t be eligible in any case.
If you ever thought of running a business over the internet now is the time to have your say otherwise it could be too late to voice an opinion.
EV certs are being touted by Microsoft as preventing phishing, but as so few phishing attacks utilise SSL at present this claim is laughable at best.
A New Vulnerability In RSA Cryptography
A new vulnerability associated with RSA cryptography has been found, which works by spying the CPU internals with a spy program running on the same computer as the crypto application. Dedicated systems (like CAcert´s certificate generation) are not affected, only multi-tasking and multi-user systems are affected.
http://it.slashdot.org/article.pl?sid=06/11/18/2030247
A New Vulnerability In RSA Cryptography
Posted by kdawson on Saturday November 18, @04:45PM
from the predictions-of-trouble dept.
romiz writes, “Branch Prediction Analysis is a recent attack vector
against RSA public-key cryptography on personal computers that relies
on timing measurements to get information on the bits in the private
key. However, the method is not very practical because it requires
many attempts to obtain meaningful information, and the current
OpenSSL implementation now includes protections against those attacks.
However, German cryptographer Jean-Pierre Seifert has announced [1]a
new method called Simple Branch Prediction Analysis that is at the
same time much more efficient that the previous ones, only needs a
single attempt, successfully bypasses the OpenSSL protections, and
should prove harder to avoid without a very large execution penalty.”
From the article: “The successful extraction of almost all secret key
bits by our SBPA attack against an openSSL RSA implementation proves
that the often recommended blinding or so called randomization
techniques to protect RSA against side-channel attacks are, in the
context of SBPA attacks, totally useless.” [2]Le Monde interviewed
Seifert (in French, but Babelfish works well) and claims that the
details of the SBPA attack are being withheld; however, a PDF of the
paper is linked from the [3]ePrint abstract.
1. http://eprint.iacr.org/2006/351
2.
http://www.lemonde.fr/web/article/0,1-0@2-651865,36-835944@51-835781,0.html
3. http://eprint.iacr.org/2006/351
Signing PDF documents
We would like to announce the availability of free PDF signature applications:
PortableSigner from http://portablesigner.sourceforge.net is a nice application with a GUI.
CAcert PDF Signer is an older, commandline only application.
Both applications are running on Java, and use the iText library, and should work on Linux, MacOSX and Windows.
http://wiki.cacert.org/wiki/PdfSigning
New Jobs at CAcert
Due to the growing demand, CAcert is currently growing it´s organisation structure to better handle the work. We decided to enable people to become product managers for the various products we have, and to create a couple of positions for officers dedicated to specific topics/tasks.
The available positions for Product Managers are:
Timestamping, OpenPGP signatures, X.509 certificates, Jabber certificates, Assurance System, Organisation Assurance, Revocation (OCSP+CRL), Digital Signatures, Electronic Invoices, SmartCards
The available areas for Officers:
Security Officer, System administration, Software Officer, Standardisation Officer, Human Ressources, Quality Officer, Public Relations Officer
If you are interested to help CAcert in any of the mentioned fields, please read about the details at http://wiki.cacert.org/wiki/ProductManagers and contact us.
Thanks for all your help!
Verisign Extended Verification Certificates
Of late Verisign has been heavily pushing a new initiative for extended verification certificates, going so far as being on record criticising Mozilla for not keeping up with security innovations that Microsoft has already implemented, to give this some context, EV certificates are similar to the Class 3 certificates CAcert issues, minus the huge price tag.
While we applaud the effort to unify procedures and processes CAs employ we feel things have been heavily slanted towards commercial certificate authorities so much so that it seems to be more about keeping a strangle hold on the market and the price tag that comes with it then any actual improvements with security that end users might enjoy.
As a result, there is a number of flawed assumptions being pushed that can only be seen as helping out Verisign’s bottom line, not helping out end users, and while I can understand Microsoft’s motivations for accepting Verisign’s recommendations so openly, one must start to question Mozilla’s motives for even contemplating doing the same.
Now, if this was to truly help out users, surely we would hope for wide spread adoption, but this won’t be the case, even Verisign has expectations that 99% of sites will stick with the status quo. This becomes even more interesting when you take into account how this will be or is implemented in browsers.
Currently Firefox turns the URL bar yellow when the site is secured with SSL, with EV certificates the URL bar will turn green, this is supposed to indicate that the site is great and super and should be implicitly trusted, but if most sites are yellow users will tend to associate yellow as being just as good as green. We’ve seen this behaviour in the past with people simply clicking through any popups, which occur far too regularly and people only end up clicking without even reading them.
CAcert was aware at the time of discussions that occurred between most/all browser vendors and some certificate authorities, however when we asked to participate our requests largely fell on deaf ears.
The bigger problem here is with the Mozilla Foundation itself, well over a year ago, there was university trained researchers falling over themselves to help out the mozilla foundation, they had conducted real studies into how to improve the browser experience and way to help users to detect fraudulent websites. The Mozilla Foundation basically snubbed the researchers and their efforts at creating proof of concepts in the hope of having their research utilised for the benefit of everyone.
The research has since been incorporated in tool bars by HP and others for Internet Explorer.
It makes you wonder how much research Verisign and others have completed to back up their claims that this will help users?
This is yet another example of people being told what they need to be safe, when it’s most likely not going to do anything except convince businesses to spend more money with Verisign, so again I’m left wondering why the Mozilla Foundation is entertaining this current push by Verisign to lock out competitors, and has little or no benefit for users and businesses in general, even though helping users is the excuse being used as why this is needed.
Signing party in Lyon, France, 13 & 14 oct. 2006.
Two assurers will be present at JDL, Lyon, oct. 13 & 14.
See http://www.jdll.org/
—
Th. Thomas.