Category Archives: News

News Relating to CAcert

Changes at CAcert: New Points Counting

Leave a reply

We are proud to announce recent changes in the CAcert website. Although there have been quite a few changes in the past, mostly they have happened “behind the scenes”. Today we can announce more visible changes:

1. Change to My Points page
The Point list in the menu under “My Details” -> “My Points” will be enhanced. Main Point is: The Assurance Points received and given will be allocated in a new way. The crucial point was the working total of Assurance Points allocated to the Assuree. Previously, only the beneficial points were displayed, and points allocated in Assurances were rounded down if in excess of 100.

From now on, all allocated points are displayed. The Assuree can still only benefit up to a maximum of 100 Assurance Points. As an Assurer, the member may benefit up to a maximum of 50 Experience Points by assuring other members. The new list will display the calculation much more transparently. Please have a look at the new points listing at https://www.cacert.org/wot.php?id=15

2. Tverify points revoked
Along with this change, all points allocated under the old Tverify program will be revoked in the near future. The Tverify program to transfer points allocated by Thawte Notaries across to CAcert members was stopped sometime ago. Tverify points cannot be verified by CAcert (for example, they cannot be distinguished between the different Notaries), and therefore, these points will be revoked soon. If you are unsure about your level of assurance, we recommend that you seek further assurance from CAcert Assurers.

By performing these measures, we take another step towards a successful audit. Passing the audit is an important building block to be accepted as a CA in the internet browsers.

3. Check your Alert Settings
We would like to advise you of another important fact: In the future, we intend to send you further newsletters with our most important news, every few months. This present newsletter is being sent to all CAcert Community Member in a one-off mailing. For the future, please check your settings online at www.cacert.org under “My Details” -> “My Alert Settings” or at https://www.cacert.org/account.php?id=36 and choose which newsletters you want to receive. In the future, we intend to rely on your settings so as to send our newsletter only to those who wish to receive the specified information.

Best regards,
Alexander Bahlo
Officer for Public Relations
CAcert.org

Further information on the New Points counting:
https://wiki.cacert.org/FAQ/NewPointsCount

Downtime scheduled for CAcert webserver on Nov 23, 2011

Leave a reply

The CAcert main webserver will be unavailable for about one hour on Wednesday November 23, 2011, starting at 10:00 UTC. A database update is scheduled to take place on that day between 10:00 UTC and 11:00 UTC. If you are interested in the technical details, please check https://bugs.cacert.org/view.php?id=976.

We expect that the update will be completed within one hour. During the update the website cannot be accessed, and no certificates can be issued or revoked. Other CAcert services (CRL, OCSP, mailing lists, wiki etc) will remain available as usual.

CAcert at Worldwide Software Freedom Day (SFD) Sat Sept 17th

Leave a reply

Software Freedom Day LogoSaturday, 17th 2011, the worldwide Software Freedom Day or “Software Freedom International” (SFI) has been announced. In several cities around the world activities will be presented.

CAcert has representives at least in Cologne and Hamburg (both Germany).

The Hamburg event is held by Lug Balista.
The event at Cologne is at Coworking Cologne. Alexander Bahlo from CAcert will give a presentation “Signieren von Dokumenten in Open­Office.org/Libre­Office”

Event Details Cologne
Event Details Hamburg

FrOSCon 2011 in St. Augustin 20./21. August 2011

Leave a reply

For the English version see below.

Auch in diesem Jahr wird CAcert wieder auf der FrOSCon am 20. und 21. August in St. Augustin mit einem Stand vertreten sein.
Des Weiteren wird es in Zusammenarbeit mit OpenOffice einen Vortrag zum Thema “Signieren von OpenOffice-Dokumenten” geben.
Sprecht uns auf dem Stand an, um zu erfahren, welche Aktivitäten zur Zeit bei CAcert durchgeführt und geplant sind.
Mehr unter http://wiki.cacert.org/events/FrOSCon2011

English
CAcert will be present again with a booth on the FrOSCon in St. Augustin 20th/21st August.
Further more there will be a speech about “Signing of OpenOffice documents” together with OenOffice.
Feel free to come along and ask us what CAcert is doing at the moment and what are the plans for the near future. More see http://wiki.cacert.org/events/FrOSCon2011

Certificates for weak keys revoked

2 Replies

If you received email today stating that one or more of your certificates was revoked than this action was initiated by CAcert. See the announcement on the blog.

For more background information see the Arbitration page and Hanno Böck’s blog post.

A short summary, some certificates were found for private keys which could easily be cracked because of one of the following reasons:

  • Their modulus size is small (y 1024 bits) and therefore quickly be “brute forced” with usual desktop computers.
  • They use an small exponent which is vulnerable to well known cryptographic attacks
  • They used a key generated by a buggy debian system (see Debian Vulnerability).

The CAcert web page has now been modified not to accept such weak keys for certificates in the future.

We wish to thank Hanno Böck for notifying us of this problem and giving us enough time to fix it before publishing it.

Software Testers Reward Challenge – Your last chance …

Leave a reply

The Software-Testers Reward Challenge 2011 is now running the last two days. So its your last chance to climb into the hall of fame.

The Software-Testers Reward Challenge will end Thursday, June 30th at midnight.

The software tester with the highest count of reports written related to the listed bugs under the Tester Portal receives a reward of 30 Euro. The 2nd one a reward of 15 Euro.

Each report under the listed bug numbers counts 🙂

Since Tuesday we have at least two new bugs added to the testserver that you can start testing:

  • Bug #942
    0000942: CATS import interface is not fit to handle non-Assurer Challenge tests
  • Bug #948
    0000948: Email address verification violates SMTP protocol
  • For Bug #827
    there is addtl. info available under wiki bug827 infos

Happy testing

CAcert fixes potential security problem

Leave a reply

You may have received an automated mail by CAcert today or yesterday evening, stating that one or more of your certificates are unsafe and will be revoked soon.

I don’t want to go into more technical details before the relevant certificates have been revoked, if you received one of those mails some technical details are included there. Please do not use the listed certificates any more and replace them with newly issued ones as soon as possible.

New signatures for CAcert-Class 3-Subroot-certificate

3 Replies

New signatures for CAcert-Class 3-Subroot-certificate – Changes for users of CAcert-Certificates
(english version, german see below)

CAcert re-signs its Class 3-certificate with a new SHA256 signature. The formerly used MD5 signature is not seen as fully secure any more by Mozilla and is therefore deprecated. Mozilla is going to drop support for MD5-signed Class 3-subroot and end-entity certificates after 30th June. Users of Mozilla products like Firefox, and Thunderbird may experience errors when these programs try to verify such certificates.

Hence webmasters, as well as users of CAcert’s Class 3-certificates, have to download and install the newly signed certificates from CAcert’s website. The same procedure applies if the Class 3-certificate is used for secure e-mail communication, for code signing, or for document signing.

The procedure in short:
1. Download the new Class 3 PKI Key from http://www.cacert.org/index.php?id=3

2. Either install it directly in your browser, or any other client program you use the certificate for, or save it to the SSL configuration directory of your webserver. For Apache this may be: /etc/apache2/ssl/class3.crt (PEM-Format)

3. Verify the SHA1-fingerprint of the downloaded certificate:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Example Commandline: openssl x509 -fingerprint -noout -in class3.crt
Or look at the fingerprint when importing the certificate into the webbrowser

4. Webmaster now re-create the necessary hash with c_rehash, or the like

By using the safe SHA256-hash CAcert is focussing on securing the internet on a continuing basis. Further information is given on CAcert’s Wiki page.

-+-

Neue Signaturen für CAcert-Class 3-Subroot-Zertifikat – Änderungen für Nutzer von CAcert-Zertifikaten

CAcert signiert sein Class 3-Subroot-Zertifikat neu mit einer SHA256-Signatur. Die bisherige von CAcert genutzte MD5-Signatur wird von Mozilla als nicht mehr ausreichend sicher angesehen. Mozilla wird deshalb MD5-signierte Class 3-Subroot- und End-Zertifikate nach dem 30. Juni nicht mehr unterstützten. Benutzer etwa von Firefox und Thunderbird können nach diesem Tag einen Fehler beim Prüfen MD5-signierter Zertifikate erhalten.

Webmaster wie Webbenutzer müssen daher, wenn sie das Class 3-Subroot-Zertifikat verwenden, dieses neu von der CAcert-Webseite herunterladen und installieren. Gleiches ist erforderlich bei Verwendung der Class 3-Zertifikate für sichere E-Mail-Kommunikation, zur Code-Signierung oder zum Unterzeichnen von Dokumenten.

Der Ablauf in Kurzform:
1. Den neuen Class 3 PKI Key von http://www.cacert.org/index.php?id=3 herunterladen

2. Je nach Anforderung entweder direkt im Browser bzw. anderen, benutzten Programmen installieren oder in das SSL-Konfigurationsverzeichnis des Webservers ablegen. Für Apache zum Beispiel: /etc/apache2/ssl/class3.crt (PEM-Format)

3. Den SHA1-Fingerabdruck des heruntergeladenen Zertifikats prüfen:
AD:7C:3F:64:FC:44:39:FE:F4:E9:0B:E8:F4:7C:6C:FA:8A:AD:FD:CE
Beispiel Kommandozeile: openssl x509 -fingerprint -noout -in class3.crt
Oder im Web-Browser Anzeige des Fingerprints beim Zertifikatsimport

4. Webmaster erzeugen dann den erforderlichen Hash mit c_rehash oder ähnlichen Programmen neu

Durch den nun verwendeten SHA256-Hash investiert CAcert weiter in ein sicheres Internet. Weitere Informationen befinden sich im CAcert-Wiki.