We’ve just started our this years Easter Egg Challenge … We’ve put a couple of patches on to our testserver CACERT1 for you, our fellow and our new Software testers. We’ve put light to heavy patches to the package so everybody is able to walk thru the testserver web pages and search our Easter Egg’s.
Continue reading
A new default rule has been added to Practice On Names – Hyphen Rule.
For the purposes of checking the Name against PoN, a hyphen in given names is to be treated as optional.
Continue reading
The word of CAcert has been spread again in the Computer News in Germany. This time the main focus was put on the use of client certificates: What is the function and how does it intregrate into the popular open source email client Thunderbird, not forgetting other clients like Evolution, Claws-Mail, and the like. It also gives some background of CAcert and a short introducton on how CAcert works. The article in the freeX magazine 2/2011 is in german language. Hope you enjoy it, though 🙂
Aus dem Artikel:
Bewegt man sich im Internet, stößt man auf immer mehr Seiten, mit denen verschlüsselt kommuniziert wird. Solche Seiten mit der Kennung https verschlüsseln die Pakete per SSL. Damit sichergestellt ist, daß man auch mit der richtigen Domain in Kontakt ist und die Daten nicht
kompromittiert werden, identifiziert sich der Server mit Zertfikaten beim Client. Aber nicht nur bei Seitenaufrufen im Web, sondern auch bei E-Mails bedient man sich heute immer häufiger der verschlüsselten Datenübertragung. Die Grundlage sind auch hier Zertifikate. Sie sind eine Art Beglaubigung und bestehen aus einem öffentlichen Teil, der verteilt werden darf, und einem privaten Teil, der ausschließlich dem Benutzer und seinen Programmen zugänglich sein darf. Aus Sicherheitsgründen empfiehlt es sich sogar, die privaten Zertifikate ausschließlich paßwortgeschützt abzulegen. Die heute gebräuchlichen X.509-Zertifikate sichern die Authentizität, Integrität und Vertraulichkeit und bilden damit die Grundlage interner und externer Kommunikation. Doch in der Praxis scheitert eine unternehmensweite Verbreitung von digitalen Zertifikaten zur Absicherung von Servern und E-Mail-Kommunikation – gerade bei kleinen und mittelständischen Betrieben – aber häufig am begrenzten Budget der IT-Abteilung, denn bei den kommerziellen Zertifizierungsstellen fallen schnell jährliche Bereitstellungskosten von mehreren tausend Euro an, und auch für Privatanwender sind wenige hundert Euro Kosten im Jahr oft nicht tragbar.
Um ohne entsprechende Investitionen eine deutliche Steigerung der Sicherheit der Internetkommunikation zu erreichen, kam im Jahr 2002 der Australier Duane Groth auf die Idee, bei X.509-Zertifikaten die zentralisierte Identitätsprüfung kommerzieller Anbieter durch ein Web of Trust zu ersetzen, wie man es in ähnlicher Form von PGP kennt. Er gründete CAcert als community-basierte, nicht-kommerzielle Certification Authority (CA).
Der Originalartikel als PDF mit Bildern
Der ganze Beitrag im Wiki ohne Bilder
To all community member and assurer,
The arbitration and support teams developed a new “Name Change after
Marriage w/ Assurance” procedure though an arbitration case a20110330.1.
The procedure is outlined in
http://wiki.cacert.org/Arbitrations/Training/Lesson12 and
http://wiki.cacert.org/Support/Handbook/PrecedentCases/a20110330.1.
This should speed up the process of a name change after marriage.
All you need to do is (for the user who wants to get a name change after
marriage):
1. Find at least 2 Assurer to do an Assurance
2. Send a list of the assurers that can confirm the name change after
marriage to support
That’s it.
Support than will contact the parties to get further information.
Benl writes: Improving SSL certificate security
Friday, April 1, 2011 9:05 AM Posted by Ben Laurie, Google Security Team
In the wake of the recent [incident], there has been a great deal of speculation about how to improve the public key infrastructure, on which the security of the Internet rests. Unfortunately, this isn’t a problem that will be fixed overnight. Luckily, however, [engineers] have long known about these issues and have been devising solutions for some time.
Given the current interest it seems like a good time to talk about two projects in which Google is engaged.
The first is the Google Certificate Catalog. Google’s web crawlers scan the web on a regular basis in order to provide our search and other services. In the process, we also keep a record of all the SSL certificates we see. The Google Certificate Catalog is a database of all of those certificates, published in DNS. So, for example, if you wanted to see what we think of https://www.google.com/’s certificate, you could do this:
[tech details snipped]
The second initiative to discuss is the DANE Working Group at the IETF. DANE stands for DNS-based Authentication of Named Entities. In short, the idea is to allow domain operators to publish information about SSL certificates used on their hosts. It should be possible, using DANE DNS records, to specify particular certificates which are valid, or CAs that are allowed to sign certificates for those hosts. So, once more, if a certificate is seen that isn’t consistent with the DANE records, it should be treated with suspicion. Related to the DANE effort is the individually contributed CAA record, which predates the DANE WG and provides similar functionality.
[caveats snipped]
Improving the public key infrastructure of the web is a big task and one that’s going to require the cooperation of many parties to be widely effective. We hope these projects will help point us in the right direction.
If you tried to log in to CATS recently with a newly created certificate you probably failed. Especially when using a Class 3 certificate. Now I hope this bug is finally fixed.
Like usual for such bugs it was quite a trivial thing, for details compare CAcert/Education/CATS/login.php in svn with its previous version.
For analysis: certificates affected contained a serial number wich started with a non-digit character after stripping learing zeros. So Class 3 certificates with serial number bigger than 09:ff (issued since about half a year ago) and Class 1 certificates with serial greater than 09:ff:ff (issued since recently) have been affected.
I’m still waiting for the first explicit confirmation of someone now able to log in, but the analysis nicely fits the symtoms and the problem could be reproduced on the test system, so I hope we finally got it.
Within the last 2 days, the testserver got the running signer integration into the testserver environment. This was one of the milestones in getting a testing environment as identical as possible to the production system.
Continue reading
This year too, there will be enough 35-point assurers at the booth of the LUG Ottobrunn at Linux Infotag in Augsburg (26th march) to get fully assured (100 points). Check for the CAcert badges & logo !
Auch dieses Jahr werden ausreichend 35-Punkte Assurer am Stand der LUG Ottobrunn beim Linux Infotag in Augsburg (26. März) anwesend sein, um voll assured zu werden (100 Punkte). Folgt dem CAcert Logo !
After Munich’s ATE in 2009 another one is scheduled. This time it is a joint offer from the CAcert community and Munich’s open source meetings. It is also supported by secure-u e.V.
We will host the ATE on afternoon of 2nd April. More details on the wiki.
There are a couple of options to indicate that you are attending:
– Email I will attend ATE-Munich
– Acknowledge the XING event
– Edit the wiki directly
As IanG said: “The ATE or Assurer Training Event is exceptionally recommended for all Assurers, and include parts which contribute directly to our audit. Come and find out how you can also contribute.”
~ 30 people have been registered already. Looking forward to seeing you at the ATE.
Dear assurers and assurees,
we want to give assurees the possibility to find assurers. Hence we are calling for a meeting point daily at 12:00 hrs. noon in front of hall 2 facing the green.
We’re asking assurers to indicate themselves by a CAcert T-Shirt, stitch on jacket, CAcert-Bag oder similar, since we cannot build a rollup.
On Saturday we will arrange a longer meeting which will take place in front of hall 2 facing the green or in case of bad weather in front of hall 2 at the corridor facing the bank of windows.
For further information please visit our wiki page http://wiki.cacert.org/events/CeBit2011
All information without guarantee.