Although the new RootKeys are generated, they are not yet availlable. At the moment there is a review of the new keys going on to see if they comply fully with the requirements for inclusion in the mainstream browsers. When the review is succesfull, the new RootKeys will become public and will be used to sign new or renewed certificates.
The blog will be the first place where you can read they have gone on-line, as well as additional info
Today, Friday 28th of november, CAcert is creating new RootKeys for signing the certificates. This is done to comply to the audit requirements of having everything documented. Our current RootKeys are audit fail because it lacks documentation about the procedure.
The current RootKeys will NOT be revoked yet because there are thousands of certificates still relying on them.All new or renewed certificates will be signed by the new RootKeys as soon as they are operational. Some extensive testing is done in the last few months for creating, securing and implementing the RootKeys on a very high standard and open way.
The generated RootKey and two sub-root keys for assured community members (class 3) and (not assured) community members (class 1) makes use of open source tooling, certified in the past with FIPS 140-2 certificate for OpenSSL (Mar 2006).
Replacing the RootKeys is the last part of the server rehosting to the Netherlands which was done in October.
The LISA, Large Installation System Administrators conference, will be interesting in particular on thursday between 11:00AM and 12:30PM as the CAcert auditor, Ian Grigg, will do his ´Invited talk´ about auditing a community driven Certificate Authority on this conference.
Ian will talk about how CAcert as a lightweight community Certificate Authority (“CA”) engage in the heavyweight world of PKI and secure browsing. With the introduction of Public Key Infrastructure, the Internet security framework rapidly became too complex for individuals and small groups to deal with, and the audit stepped into the gulf to provide a kinder face, in the form of a simple opinion or judgment call.
He will speak in detail about the systems audit of CAcert, as a case study in auditing versus the open Internet, community versus professionalism, quality versus enthusiasm and will look at how CAcert found itself at this point. Also he addresses some big-ticket items, such as risks, assurance, disputes, privacy, and security.
The CAcert Assurer Rudi van Drunen, and many others will organize a Birds of Feather assurance party for doing assurances and pgp signing. As such increasing the Web of Trust.
|* rehosting day 3
Systems team visited the Ede BIT center to create backups and install a new drive. Systems are now passed over from old team of Philipp to the new team of Mendel and Wytze. The new team has a full book of work ahead of it and will be looking favourably on any locals who could help.
Root team has created trial keys but did not attempt a real root due to concerns over entropy and precise sub-root configuration. Current plan is to sort out these issues and re-convene end of November. This is not a blocking task.
At seven, the completion event took place at 'Planken Wambuis'. During a delicious dinner, the things happened in the last few days were spoken through and the things still to be done were mildly discussed. Around 22.30 the party broke up and went home.
|* rehosting day 2
The second day was mainly testing and making preparations for the rootkey ceremony.
A bug has been found in openSSL which blocks the rootkey creation on friday.
|* rehosting day 1
On 9:06h CET on wednesday, the team arrived at BIT, the Dutch ISP. They started with Opening the sealed disks under the watchful eye of the auditor and one person from the Dutch ISP. Around 12:00h The servers were booted and the data integrety was checked. At 13:32h The servers were running.
The Team is now smoothing out the last glitches, doing extensive tests and are monitoring the servers closely. It's still possible to have some outages in the coming days.
We got some questions by mail regarding the SSL keys and the (possible) debian vulnerability.
There are blacklists of sites who may have this issue. Unfortunately, the off-line page was also on this list.
After investigation, it turned out the off-line page was running on a computer which was booted with an older live-cd containing the bug.
Since it was a single static page, no harm is done. Our on-line site has different keys and it's verified that these ssl keys are ok.
CAcert apologises for this inconvenience.
|* Travel day
The servers were shut down around 8:00h CET on tuesday and a temporary page is set up for the off-line period.
After the disks were removed and sealed under the watchful eye of the auditor and one person from the Austrian ISP, The Vienna team started on their about 1100km trip to the Netherlands and arrived late in the evening.
|* Preperation day
Yesterday, 26th of September, The website was down for a brief period around 7PM CET.
An extra disk was added to the server for backup purposes.
The final backup will be made on monday around 7PM CET.
This is the first blog entry where CAcert informs the users on the progress of the rehosting of the critical servers.
On august 8, 9, 10 and 11 the Festival Of Roses (Rozenfestival) is held in Lottum, the Netherlands.
If you plan to visit and you’re looking for assurers, Maurice and Joost will be at the festival itself (and several more in the vicinity).
There will be no official CAcert stand and no official CAcert presence. plese make arrangements with us in advance, otherwise finding us can be hard.