On 2016-02-09 is this year’s Safer Internet Day asking its participants to “Play your part for a better internet!”
The Safer Internet Day was first celebrated in 1999 to strengthen the awareness for security within and on the internet.
CAcert’s share in this effort is providing everybody the means to protect their communication by sending encrypted emails or using free client certificates for authentication.
So take a moment and think about taking part in one of the several events and help to promote email encryption with CAcert S/MIME certificates.
And stay safe on the internet!
On Friday, 29th January 2016, the long-planned re-signing of CAcert’s root certificate will finally take place.
This action has been overdue for quite some time now as several browser and OS vendors have dropped support for MD5-signed certificates or otherwise made such certificates unusable.
The re-signing process  has been tested successfully at last FrOSCon in August 2015 .
Attendance of the re-signing ceremony will be open to the public and will take place near CAcert’s data center in Ede, NL. As soon as more details become available we’ll provide a wiki page with the exact schedule and location.
UPDATE: Unfortunately the Re-Signing event had to be postponed due to shortage of manpower in the different teams involved in the process. The currently a new date is being searched. As soon as the new date is available it will be announced here.
The new elected CAcert Inc board want to share their mission statement for the current fiscal year.
We want to help CAcert to become the world’s most trusted service provider able to help people around the world
- to secure their privacy
- to secure their identity
in the area of digital electronic communications. We all want to lead an operating Certificate Authority providing highly secure certificates for free to the public in which everybody can trust. The next central milestone for the development of our CA is to pass an audit with flying colors.
We will subordinate all of our activities to reach this goal within the next years.
The first serious challenge to take will be the resign of our root certificate within the next 3 months (hopefully on the eve of FOSDEM 2016).
We want to continue with the tasks to prepare the New Root Escrow within the next year.
To secure the existence of CAcert for a long time we want to prepare the move to a hosting country in Europe within the next year.
Today we ask you to have confidence in our plans and personal integrity and hope that all of you will support us in fulfilling these tasks.
Please allow to remember to McDonald’s main maxim:
„All of us is more than one of us“
The new board is composed of
Reinhard Mutz, President CAcert Inc.
Jürgen Bruckner, Vice President CAcert Inc.
Marcus Mängel, Secretary
Stefan Thode, Treasurer
Felix Dörre, Board member
Peter Yuill, Board member
On Sunday at FrOSCon 10 CAcert successfully tested the New Root and Escrow (NRE) process and performed a test run of the long expected Class 1 Resigning.
Members of the software team, the critical admins, the NRE team, and the internal auditor met in a session, which was open to the public, to test these long prepared tasks.
The process started with checking that the needed hardware was running and was setup up according to the process definition. In a first step the defined tasks were then executed manually to proof that the procedures produces the desired results. In a second step the manual tasks were automated where possible and the script was tested and checked according to the process definition.
The results show the expected outcome.
The internal auditor was pleased with the good and professional preparation of the test and the successful outcome. The new root keys created during the NRE test will be used for a test server based on Gigi and Cassiopeia.
Recently we got several questions about automated installers for our certificates. While the new ca-cacert package in Debian Testing is a nice way for a verified installation it isn’t perfect. One issue is the initial download of the certificates when the source package is built by the maintainer; the second issue is that not everybody is using Debian.
As for a long time there was no way to automate the check of the trust anchor with tools you already have we used cryptography to make it work: DNSSEC. While you can’t directly download the certificates directly from DNS – the information would be to huge and hardly manageable – you still get enough information to bootstrap the verification from DNS. All you need is a way to query and validate TXT RRs from DNS, a way to download files via HTTP and a way to calculate some hashes.
The information about the fingerprints is stored in the DNS zone _fp.cacert.org – the underscore indicates non-host information. For each generation of root certificates a new sub-directory will be created. The current one is “g1”. To list all available certificates of a specific generation you can query the label _certs for that sub-directory given a DNS query for _certs.g1._fp.cacert.org yielding the two names “root class3” as the certificates. Each of those references in turn provides both an URL (“_url”) and a set of fingerprints (_md5, _sha1, _sha256) needed for the verified download of that certificate. To download the current (g1) root certificate you’d thus look for the download URL at _url.root.g1._fp.cacert.org and verify the SHA2-256 fingerprint given at _sha256.root.g1._fp.cacert.org. Fingerprints are always uppercase and without any delimiters.
For further technical details have a look into the Wiki 
After the inclusion of CAcert in Debian has been a quite complicated story for the past few years we are glad to announce that there’s a new package in the Debian Sid (unstable) branch: ca-cacert. This package has been created and will be maintained by Dmitry Smirnov. This package became necessary after Debian decided to remove CAcert from its main certificate store provided by the package ca-certificates in early 2014 .
Our goal is to promote awareness and education on computer security through the use of encryption, specifically by providing cryptographic certificates. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the internet. Any application that supports the Transport Layer Security (TLS) or the somewhat older Secure Socket Layer Protocol (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
The re-inclusion – even if just as a supplementary package – allows users of Debian and its many derivatives to securely access and install our certificates. Using this path for installation of our root certificates a major attack vector during installation has been mitigated by providing an additional, verified means to get an authenticated copy of our root certificates. Another possibility to verify our certificates after download has been prepared recently and will be documented soon.
CAcert is still pursuing to become audited and thus available in the default browser and OS trust stores.
We thank all people who were involved in creating and providing this package and hope for a constructive future development. Furthermore we like to thank the maintainers of the openSUSE package who made sure our root certificates have been available for the past years . Also we want to thank all other package maintainers for other OS helping to provide a safe anchor for our certificates.
Currently our Wiki editors are working on HowTo documents [4, 5].
Last week CAcert reached the milestone of 300,000th community members.
CAcert has honored on behalf for the 300,000 community member Daniel Andris on the ATE Freiburg. Marcus Mängel (Organisation Assurance Officer) on behalf CAcert Inc board presented a paper document as well as an USB crypto stick and a box of Belgian chocolates.
Marcus Mängel (as representative of CAcert board) welcomed Daniel Andris as representative 300,000 community member.
Letzte Woche hat CAcert den Meilenstein von 300.000 Community Mitgliedern überschritten.
CAcert hat stellvertretend für das 300.000 Community Mitglied Daniel Andris auf dem ATE Freiburg geehrt. Neben einer Urkunde überreichte Marcus Mängel (Organisation Assurance Officer) im Auftrag des CAcert Inc Boards einen USB-Crypto-Stick und eine Schachtel belgische Pralinen.
The Android distribution Replicant has recently decided to include the CAcert root certificates in default installations.
Replicant was started as a pragmatic way to achieve software freedom on mobile devices, providing a fully free version of Android. Over the years, support for a dozen of different mainstream devices was added.
However, most of these devices are severely flawed when it comes to software freedom, privacy and security. Thus, it was decided to focus the development effort of Replicant for a few specific devices that perform better regarding those aspects, instead of trying to catch up with the latest mainstream devices. Replicant is sponsored and supported by the Free Software Foundation.
For further details on the inclusion status of CAcert’s root certificates in other OS distributions see wiki.cacert.org/InclusionStatus
CAcert and secure-u e.V. will be present at FOSDEM 2015, the Free and Open Source Software Developers’ European Meeting, on January 31st – February 1st.
If you want to help at our booth, register yourself on our events wiki page for FOSDEM 2015 planning.
CU at FOSDEM …
A fix for a long standing issue has recently been installed at the CAcert main server: Now finally it’s possible to create a client certificate from a Certificate Signing Request (CSR) in the user interface for Organisation (Org) Accounts.
For those who don’t have an idea what I am talking about, an Org Account is a user interface for administrators of companies and other organisations who got themselves assured with a CAcert Org Assurance.
Until recently, client certificates in an Org Account could only be created by using the browser feature to create a key pair and signing request in one go. This usually has the consequence that the administrator has access to the private key of the certificate, and has to send the private key and a password (hopefully secure) to the user the certificate is intended for.
While this is not that unusual in an organisation environment, it is not considered a clean solution.
The new feature to create a certificate from a CSR now allows much better solutions. Not only that the administrator does not need access to the end user’s private key at all, it’s now possible to create solutions where an organisation end user can create her own keys and CSR at the organisation’s website, while the administrator only confirms the validity of the request, gets the certificate from CAcert and posts it on a website for the user to download into her browser.
Especially in company settings CAcert certificates can productively used even though the root certificate is not included in browsers by default. Many companies use private CAs, for example to issue certificates which allow employees to securely log on to web applications. Now it’s possible to outsource the CA management to CAcert and just use an Org Account to issue certificates.
In my opinion CSR certificate creation is an important step to make CAcert certificates much more practical to use in company settings! Thanks to everyone involved in implementing this feature!