Category Archives: News

News Relating to CAcert

Availability of CAcert Root Certificates on Linux Distributions

After the inclusion of CAcert in Debian has been a quite complicated story for the past few years we are glad to announce that there’s a new package in the Debian Sid (unstable) branch: ca-cacert. This package has been created and will be maintained by Dmitry Smirnov. This package became necessary after Debian decided to remove CAcert from its main certificate store provided by the package ca-certificates in early 2014 [1].

Our goal is to promote awareness and education on computer security through the use of encryption, specifically by providing cryptographic certificates. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the internet. Any application that supports the Transport Layer Security (TLS) or the somewhat older Secure Socket Layer Protocol (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

The re-inclusion – even if just as a supplementary package – allows users of Debian and its many derivatives to securely access and install our certificates. Using this path for installation of our root certificates a major attack vector during installation has been mitigated by providing an additional, verified means to get an authenticated copy of our root certificates. Another possibility to verify our certificates after download has been prepared recently and will be documented soon.

CAcert is still pursuing to become audited and thus available in the default browser and OS trust stores.

We thank all people who were involved in creating and providing this package and hope for a constructive future development. Furthermore we like to thank the maintainers of the openSUSE package who made sure our root certificates have been available for the past years [2]. Also we want to thank all other package maintainers for other OS helping to provide a safe anchor for our certificates[3].

Currently our Wiki editors are working on HowTo documents [4, 5].

[1] https://packages.qa.debian.org/c/ca-cacert.html
[2] https://software.opensuse.org/package/ca-certificates-cacert
[3] https://wiki.cacert.org/InclusionStatus
[4] https://wiki.cacert.org/HowToDocuments/
[5] https://wiki.cacert.org/HowToDocuments/DE

CAcert reaches 300,000 members

[German below]
Last week CAcert reached the milestone of 300,000th community members.
CAcert has honored on behalf for the 300,000 community member Daniel Andris on the ATE Freiburg. Marcus Mängel (Organisation Assurance Officer) on behalf CAcert Inc board presented a paper document as well as an USB crypto stick and a box of Belgian chocolates.

ATE Freiburg 300k
Marcus Mängel (as representative of CAcert board) welcomed Daniel Andris as representative 300,000 community member.

Letzte Woche hat CAcert den Meilenstein von 300.000 Community Mitgliedern überschritten.
CAcert hat stellvertretend für das 300.000 Community Mitglied Daniel Andris auf dem ATE Freiburg geehrt. Neben einer Urkunde überreichte Marcus Mängel (Organisation Assurance Officer) im Auftrag des CAcert Inc Boards einen USB-Crypto-Stick und eine Schachtel belgische Pralinen.

CAcert root certificates included in the Replicant (Android) distribution

The Android distribution Replicant has recently decided to include the CAcert root certificates in default installations.

Replicant logo

Replicant was started as a pragmatic way to achieve software freedom on mobile devices, providing a fully free version of Android. Over the years, support for a dozen of different mainstream devices was added.
However, most of these devices are severely flawed when it comes to software freedom, privacy and security. Thus, it was decided to focus the development effort of Replicant for a few specific devices that perform better regarding those aspects, instead of trying to catch up with the latest mainstream devices. Replicant is sponsored and supported by the Free Software Foundation.

For further details on the inclusion status of CAcert’s root certificates in other OS distributions see wiki.cacert.org/InclusionStatus

Creating client certificates with CSR now possible for Org Accounts

A fix for a long standing issue has recently been installed at the CAcert main server: Now finally it’s possible to create a client certificate from a Certificate Signing Request (CSR) in the user interface for Organisation (Org) Accounts.

For those who don’t have an idea what I am talking about, an Org Account is a user interface for administrators of companies and other organisations who got themselves assured with a CAcert Org Assurance.

Until recently, client certificates in an Org Account could only be created by using the browser feature to create a key pair and signing request in one go. This usually has the consequence that the administrator has access to the private key of the certificate, and has to send the private key and a password (hopefully secure) to the user the certificate is intended for.

While this is not that unusual in an organisation environment, it is not considered a clean solution.

The new feature to create a certificate from a CSR now allows much better solutions. Not only that the administrator does not need access to the end user’s private key at all, it’s now possible to create solutions where an organisation end user can create her own keys and CSR at the organisation’s website, while the administrator only confirms the validity of the request, gets the certificate from CAcert and posts it on a website for the user to download into her browser.

Especially in company settings CAcert certificates can productively used even though the root certificate is not included in browsers by default. Many companies use private CAs, for example to issue certificates which allow employees to securely log on to web applications. Now it’s possible to outsource the CA management to CAcert and just use an Org Account to issue certificates.

In my opinion CSR certificate creation is an important step to make CAcert certificates much more practical to use in company settings! Thanks to everyone involved in implementing this feature!

CAcert Community Agreement (CCA) Rollout finished

[German Version below]
A long lasting software project – the CCA rollout – is nearing its end!

With today’s software update the last step for the CCA Rollout was deployed.

From now on every member who wants to use his CAcert account needs to have his CCA acceptance recorded.

The software has already been tracking this for some time which means that most active members will have their acceptance recorded by now. The CCA acceptance is recorded when:
– creating a new account
– entering an assurance for the assurer and the assuree
– creating a new certificate (client, server, GPG)

THE NEWS is that, for all users for whom no acceptance is yet recorded, a redirect to the CCA acceptance page is now forced. Once the CCA acceptance is recorded, this page will not be shown again.

Some historical facts:
The foundation was laid in 2007 by developing the policies and the CCA. The rollout started in 2009 by introducing the CCA to the community. In summer 2009 the acceptance of the CCA was required for creating a new account but it was not recorded.
In 2012 the acceptance of the CCA was required while entering an assurance but it was not recorded.
Starting from September 2013 the acceptance is recorded both on creating an account and while issuing a new certificate.
Since January 2014 the acceptance is recorded when entering an assurance too.
In September 2014 a new CCA was accepted by Policy Group.

[German Version]
Ein lange währendes Software-Projekt – der CCA-Rollout – nähert sich dem Ende!

Mit dem heutigen Software-Update wurde der letzte Schritt des CCA-Rollouts vollzogen.

Ab sofort wird für jedes Mitglied beim Login abgefragt, ob die Zustimmung zur CCA vorliegt. Falls nicht wird diese beim Anmelden erfragt und eingetragen.

Die Software zeichnet schon seit einiger Zeit bei diversen Aktionen die CCA-Zustimmung auf:
– Anlegen eines neuen Benutzerkontos
– Beim Eintragen einer Assurance sowohl für den Assurer und den Assuree
– Beim Erstellen eines neuen Zertifikats (Client, Server, GPG)

Wichtig: ab jetzt muss jeder User, dessen Zustimmung zur CCA noch nicht aufgezeichnet wurde, der CCA einmalig explizit zustimmen. Liegt bereits eine aufgezeichnete Zustimmung zur CCA vor, entfällt die explizite Aufforderung zur Zustimmung.

Einige historische Angaben:
Gestartet wurde das Projekt im Jahr 2007 mit dem Erstellen der Policy-Dokumente und der CCA. Das Rollout wurde 2009 mit der Veröffentlichung der CCA begonnen.
Ab dem Sommer 2009 wurde die Zustimmung zur CCA beim Anlegen eines neuen Kontos verpflichtend. Diese Zustimmung wurde allerdings nicht aufgezeichnet.
Seit 2012 wurde die Zustimmung zur CCA Bestandteil der Assurance. Diese Zustimmung wurde nicht in der Software aufgezeichnet.
Ab September 2013 wurde die Zustimmung zur CCA beim Anlegen eines neuen Kontos und bei der Erzeugung eines Zertifikats aufgezeichnet.
Seit Januar 2014 wird die Zustimmung auch beim Eintragen einer Assurance protokolliert.
Im September 2014 wurde eine neue Version der CCA durch die Policy Gruppe verabschiedet.

Assurance-Point auf dem Open-Source-Day 2014 am 22.10. in Hamburg

Open Source Day 2014Der Hamburger Open-Source-Day 2014 ist in Hamburg im Zeitraum 10:00 Uhr – 14:00 Uhr geöffnet. Details sind unter [3] zu finden.

Dieser Assurance-Point ist interessant für alle die ihren Status innerhalb der CAcert-Communitiy verbessern wollen. Dabei ist jeder, ob CAcert Assurer, CAcert Assuree/Member, CAcert Interessierte, Einsteiger oder Unentschlossener herzlich willkommen. Es gibt die Möglichkeit für Assurees/Members Assurance-Punkte zu erwerben, für Assurer sich Erfahrungspunkte zu verdienen und sich über die CAcert Community zu informieren. Um einen reibungslosen Ablauf der Identitätsüberprüfung zu ermöglichen, wird darum gebeten neben hinreichenden amtlichen Lichtbildausweisen auch genügend ausgedruckte CAP-Formulare, für sich selber und andere, mitzubringen.

Es wird empfohlen, sich vor der Veranstaltung schon bei CAcert [1] zu registrieren, da so der Prozess vor Ort beschleunigt werden kann.
Die Einsicht in die Policies ist unter [2] möglich.

[1] http://www.cacert.org/
[2] http://www.cacert.org/policy/
[3] Open Source Day 2014

Starts: 2014-10-22 10:00 am
Ends: 2014-10-22
Duration: 4 hours:
Beim Strohhause 17
Hamburg
20097
DE

Downtime for www.cacert.org on July 23, 2014

On July 23, the CAcert webdb server will be unavailable for most services from 10:00 CEST until approximately 11:30 CEST.

The reason for this is the need to convert the database from MyISAM format to InnoDB format, to address https://bugs.cacert.org/view.php?id=1172

We cannot predict exactly how long this conversion will last, but it is estimated to be less than 90 minutes. During this time, the server will remain up and running. The web frontend will also remain up and running, but with very limited functionality only (no user logins), due to the database being offline.

We apologize for any inconvenience caused by this major but necessary operation.

Change when adding an assurance

The software team pushed a new patch to production that has an impact on the way how new assurances have to be entered into the system.

Starting today, besides entering the primary email address further information has to be provided in order to gain access to assurance relevant data of the assuree. Additionally the date of birth of the assuree has to be stated by the assurer, before any data of the assuree is displayed for the assurance process.

This change was made for data protection reasons to ensure nobody is able gain access to personal data entrusted to CAcert by mere guessing of email addresses.

It hopefully will also reduce the number of problems with assurances that contain a wrong date of births.

CAcert applies to become “Interested Party” for the CA/Browser forum

CAcert Inc. board decided with the motion m20140706.3 to apply at the CA/Browser forum [1] as “Interested Party”. The CA/Browser forum is responsible for the guidelines how to use X.509 certificates.

The reasons are:

  • get the latest ideas and hints how the the certificate business is developing
  • get the chance to show how CAcert Web of Trust works and that it might be an alternative for the commercial registry authority approach

CAcert nominated Benedikt Heintel as contact person to the CA/Browser forum.

[1] https://cabforum.org/