It’s taken 2 years, 2 months, and 6 days but finally we have reached 2000 assurers. This passing really belongs to everyone that’s ever assured anyone, or taken time off work to attend a conference, or just met up with others for coffee.

I was reading a blog the other day which the author describes meeting up with others to assure them, and comes out and says how it’s a great way to meet others with similar hobbies in security related fields. Speaking from personal experience, I’ve always liked getting out and networking with others and have mused about in-direct non-tangible benefits in the past before. However I’ve never thought it worthy of writing it down, and letting others know the side effects to assuring people and how you can actually end up with some really good friends out of it in the very physical area you lived but would never have known they were there otherwise, all drawn in by a common goal. I truly believe with each passing day that more people know about CAcert, and to that end I hope things keep getting bigger and better.

When I started with the first incarnation of CAcert almost 3 years ago, I had no idea things would be where they ended up. My original intentions behind CAcert was to provide better security for wireless networks (something that still is in a mess for the most part), but the community wireless guys didn’t end up running with it, and I guess what surprised me most out of all this, is in the fact that we issue more client certificates then server certificates.

As I mentioned in a previous posting, I met up with Mark Shuttleworth the other day, he’s been involved in a number of high profile things in the past, such as being the founder of Thawte and kicking off the Thawte web of trust, to being shot into space on a Russian space craft. He expressed slight disappointment the other day in the fact that the Thawte web of trust not going anywhere beyond where it is at present, and that slightly shocked me in that here was a man that setup a commercial company for the purposes of making a profit, yet on the other hand had a great sense of community, which is also obvious through his company’s sponsorship and heavy involvement with the Ubuntu Linux distribution. Also worth mentioning about Mark is the fact that unlike other free/open software projects, we weren’t simply dismissed, and also unlike many others he actually had a valid grasp of the reality surrounding CAs, rather then simply having the notion that they must be a commercialised operation to provide the service. Specifically on this last point someone has sent me a very interesting post I’ll throw up later today.

All up even though we’re still hassling mozilla for inclusion and most people rated inclusion into MS products as unobtainable, me being the eternal optimist, think we as a collective can do all this and more, and by the ever increasing number of users and assurers only serves to make me think I’m right. Simply put the more users and assurers that we have the greater the chance this will occur, and as I mentioned before 2005 is the year of the Assurer! By helping us to obtain greater numbers everyone is helping themselves indirectly as a result (we can’t be brushed aside forever with ever increasing numbers!), so get out there and start hassling your relatives, neighbours, co-workers and everyone else in sight into signing up and getting even just a client certificate to protect their own emails!

For those that are interested in keeping tabs on upcoming events the calendar.ics we now dynamically publish based on this blogs posts is one of the easier ways to do it. Today I’ve been playing with this and the sun-bird plugin for thunder bird/fire fox. The sun bird plugin allows you to import (you can even tell it to re-import on start up) remote calendars, such as the Events Calendar.

My only gripe is that the plugin is basically a completely new program and that it doesn’t seem to integrate very well with thunder bird, this could be a whole lot more useful and more to the point, more intuitive, to a whole lot more people. Once I downloaded and installed the plugin nothing on the thunder bird interface actually looked or seemed any different and it took me a fair while to track down the solitaire menu item when I could launch the sun bird interface from, so a big thumbs down on usability. As far as I can see all that it needs to be a little more useful is a little calendar looking item in the main interface that some how indicates events are occurring on certain days and by clicking would open to the plugins normal looking page.

Apart from evolution can anyone suggest any other plugins for thunder bird that integrate better, so that shared calendar events etc for people can better keep tabs of each other by publishing their public calendar to the Internet somewhere?

If you ever are involved with any sort of event trying to promote CAcert, this question at one point or another is bound to come up, and Microsoft has given us the best answer to date. With the new release of long horn comes a number of changes in the way Microsoft handles PKI, in particular the biggest change most likely to effect people with having OCSP turned on by default.

This will mean that if you’re publishing self signed certificates and no OCSP responder approves the certificate, Internet Explorer and other programs will reject the connection and you will have to go back to using no encryption or buying a certificate from a commercial provider.

At this stage CAcert isn’t running an OCSP responder either, this is in part due to the testing of different OCSP options in the past and having no sucess with any of the free software options actually workin properly, most software was returning a lot of false positives and false negatives. Having an OCSP responder is something that we need to address before betas are being officially released to ensure we don’t get left behind either, but at the same time it can be used as leverage as to why people should use us compared to self signing.

One suggestion on which OCSP responder to use is the one RedHat recently bought when it acquired some of the remaining Netscape assets from AOL. So far I’m not sure that anything has been released at all or what RedHat’s plans go for any time line.

One other minor note about OCSP in general, the protocol states that if you can’t talk to the responder to verify the status you have to assume it’s not a valid certificate, this could potentially lead to major disruptions on the Internet if CAs are being attacked via denial of service on their responder, which in turn could have the potential of wiping them out as a company if a lot of their customers’ websites are no longer usable.

One other situation that is similar to a denial of service attack, which will be a lot more common is when people are sitting in a plane or similar and not having Internet access, although apparently Microsoft have attempted to solve this via a OCSP caching solution, but will this actually be any better then the caching that Internet Explorer does? Something to think about at least I guess.