CAcert will destroy archived copies of ID’s and asks their Assurers to do so as well.

When CAcert started in 2002 it was required that copies of ID’s were archived for 7-10 years in the archives of CAcert or archives of CAcert Assurers. In a later instance CAcert required to take note of ID numbers and/or social security numbers of the individual instead of the copy of the ID.  In 2006 for privacy reasons this data (copy of ID, personal numbers) was dropped. The CAcert Assurance Programme (CAP) form states however that the information should be kept 7-10 years.

As CAcert Inc. dropped the requirements for copies of ID and personal numbers the CAcert Inc. association by order of the Committee (Board) decided to remove this information from the CAcert archives and require that the CAcert Assurers who are in possession of that information to do the same: destroy archived copies of ID’s and delete social security numbers from the CAP forms. The information should be deleted with care as stated in the CAP agreement.

As you may know, CAcert started a big effort in 2007 to address who we are as members of a CA service provision, the Community and the increase of the recognition of CAcert as a professional CA.
CAcert belongs now to the top ten CA’s in the world! This all was inspired and demanded by the need to have CAcert Root Key included in the browsers. For this CAcert started the Audit process, which focused on the questions of Risks, Liabilities, and Obligations amongst us all.

CAcert has now conquered that monumental task. Core of that task was defining who we are as a community, and writing a CAcert Community Agreement that we can all agree to, which brings us together as that community, and which protects you, using the CAcert issued certificates, legally, financially and freely.

Here you can read the details of the CAcert Community Agreement .

Introductory notes on the agreement are on the wiki. This introduction attempts to explain some of the parts, which need maybe some more explanation, eg on free certificates, privacy concernings, certificate care and usage risks, and the CAcert Community.

The Agreement is now approved: by the Board, by the Policy Group, and by the Association, and it is now ready for you!

CAcert software developers will modify the website and the Assurance team will modify the Assurance processes to ask people to agree to it.This will take some time.
In the end we will need agreement from everyone inside the CAcert Community, because it protects each and every one of you, and all of us together, as a community.

CAcert Management Sub-Committee

CAcert announces the resignation of Greg Rose from the Board of CAcert Inc., as of 1st March 2008.

On resigning for job-related reasons, Greg said “It’s been interesting to say the least, and I feel happy to have made new friends and renewed old ones. Thanks for the opportunity and the honor to have worked with you all.“.

When the existing board resigned in March 2007, Greg stepped in to help, having been a long serving Assurer.
Greg Rose served as President during the critical period of 2007 and helped to build a new board, management team, steered the new board through this difficult phase to recover control of assets, and chairing a week-long meeting in Germany with our key people present.

This crucial period saw the approval of the new CAcert Community Agreement for all members of the Community and many other innovations thanks to an excellent cooperation from within the CAcert Community and Association Members:
the Assurer Challenge, in-house dispute resolution, Organisation Assurance, the re-invigoration of the business side of the CAcert, initiation of a funded audit project and formal procedures for creating and approving policies (eg.  Assurance policy and reformed point system, code signing, open sourcing of software, openness of the organisation, etc.).

Teus Hagen takes up the position of President, assisted by Evaldo Gardenali, Robert Cruikshank and Guillaume Romagny.

The CAcert association (CAcert Inc.) will have its Annual Meeting on Saturday 17th of November. More details: http://wiki.cacert.org/wiki/NextAnnualGeneralMeeting . You need to be a full association member in order to be able to vote.

What is on the Agenda?: board elections (five Committee members), CAcert Community Agreement (new!), CAcert Root cert usage License and Disclaimer (new!), Policy document organisation (new!), Arbitration (new!), Open Governance, membership register update.

Note also the minutes of meeting from so called CAcert TOP meeting in September 2007: http://wiki.cacert.org/wiki/TopMinutes-20070917 and current activities: security and quality enhancements to CAcert servers and services, quality improvements for CAcert assurances, Organisation Assurance initiates, CAcert community and organisations (officers and distributed responsibilites), privacy directives and openess actions (open sourcing, open governance), etc.

See the discussions on the policy and membership email lists.

teus

CAcert have seen enormous changes within the structure of CAcert during the last 3 or 4 month. This changes reflect a new, professional approach of CAcert which will allow us to grow way beyond the level we have been so far. Therefore Advisory proposed to the board to have a multiday meeting to adress all those issues. The new structure of CAcert consisting of Board, Advisory, Officers and Community needs to learn a better communication and a better cross area working. The Board has many issues on its route, like approving the backlog of important suggestions and preparing AGM, just to name a view. Advisory has to drive many issues as well, especially getting audit on track, creating policies, dealing with Super Assurers, Organisational Assurance, etc. The officers need to define their teams, their tasks, communication lines, reporting, etc.

So this meeting will be in Pirmasens, Southwest Germany in a nice meeting location in the week of 17th to 21th September 2007. More on this as soon as we know.

At the 25th of May 2007 Special General Meeting (SGM) the CAcert Inc. members (re)elected Robert Cruikshank, Evaldo Gardenali and Greg Rose on the CAcert Inc. Committee (board). The resignations of the old board were accepted by the members.

All the (seven) nominated new members (nominated from January up to June 2007) were accepted and are welcomed as new members.

Membership expressed many thanks to the efforts made by resigned board members for CAcert Inc., especially gratitude is expressed to Duane Groth. We hope that they will continue their support as CAcert Inc. members.

For convenience, a second official CAcert community channel was created on freenode. If you are a freenode regular user, come by #CAcert .

We are also distributing CAcert/Assurer/nickname and CAcert/User/nickname cloaks for people with properly registered nicks on freenode. Ask Evaldo Gardenali (UdontKnow) there for more information.

chat.freenode.net #CAcert – irc://chat.freenode.net/CAcert/

The CAcert Privacy Policy was updated. Joined newly to the Policy are the privacy of the issued certificate and the data accessible to Assurers is defined more exactly now.

The whole Privacy Policy could be found under: https://www.cacert.org/index.php?id=10 or as usual at the bottom of each webpage of cacert.org.

A new vulnerability associated with RSA cryptography has been found, which works by spying the CPU internals with a spy program running on the same computer as the crypto application. Dedicated systems (like CAcert´s certificate generation) are not affected, only multi-tasking and multi-user systems are affected.

http://it.slashdot.org/article.pl?sid=06/11/18/2030247

A New Vulnerability In RSA Cryptography

   Posted by kdawson on Saturday November 18, @04:45PM
   from the predictions-of-trouble dept.

   romiz writes, “Branch Prediction Analysis is a recent attack vector
   against RSA public-key cryptography on personal computers that relies
   on timing measurements to get information on the bits in the private
   key. However, the method is not very practical because it requires
   many attempts to obtain meaningful information, and the current
   OpenSSL implementation now includes protections against those attacks.
   However, German cryptographer Jean-Pierre Seifert has announced [1]a
   new method called Simple Branch Prediction Analysis that is at the
   same time much more efficient that the previous ones, only needs a
   single attempt, successfully bypasses the OpenSSL protections, and
   should prove harder to avoid without a very large execution penalty.”
   From the article: “The successful extraction of almost all secret key
   bits by our SBPA attack against an openSSL RSA implementation proves
   that the often recommended blinding or so called randomization
   techniques to protect RSA against side-channel attacks are, in the
   context of SBPA attacks, totally useless.” [2]Le Monde interviewed
   Seifert (in French, but Babelfish works well) and claims that the
   details of the SBPA attack are being withheld; however, a PDF of the
   paper is linked from the [3]ePrint abstract.

  1. http://eprint.iacr.org/2006/351
  2.
http://www.lemonde.fr/web/article/0,1-0@2-651865,36-835944@51-835781,0.html
  3. http://eprint.iacr.org/2006/351