Team Reports 2013

Team Leaders are encouraged to present a report for their team.

Policy Group

The year in Policy showed some activity. The main work was focused to fix specific sentences that have moved over the past few years since the initial start of the policies. Assurance subpolicy POJAM moved to status POLICY after a quite long period in DRAFT (since February 2010) while we're collected experience in practice in the assurance area and we did received all good feedback.

Policy Directory Migration Project

Since the initial start of the PolicyOfPolicy the location of all Policy's in DRAFT or status POLICY to be placed into a subdirectory of the critical system turns into complicated process, that turns into a backlog of 4 years of update changes that requires to be transfered into the critical system.

Since December 2009 the Software Assessment project team deployed a running infrastructure to write patches and move them to the critical team. This process is now running in a good shape. But the backlog of Policy update changes didn't made it yet under the main CAcert website.

With a potential conflict of authorities between two teams - Software Assessment vs. Policy Group, one problem has been fixed first by Policy Group, to allow updates of the Policy documents under the Critical System so that the collected required Policy updates can be transfered by the Software Assessment team without further big discussions and each individual voting in Policy Group (p20130223).

This effects Policy updates that have been voted in effect by Policy Group long time ago, but didn't find its way into the "officialy" listed Policy in the Critical system. Also link fixes and reference updates (eg. the RDL that replaced NRP-DaL in 2010) and other "minor" changes, that didn't change the policy text and their meaning. The collection of Policy Updates patches running under Bug #1131 "Rename _all_ Policies from .php to .html and fix all links"

Decisions reached by Policy Group in 2012/2013 period

Policy Group Work To Do

  1. New Legacy Policy - how to handle "old" assurance and experience points, eg a fade-out? revocation of points? cut of old Superassurance Points down to 35 Pts?
  2. CCA review / rework - still WIP (75% finished)
  3. DRP review / rework - still WIP
  4. CPS review / rework
  5. TTP-assisted-assurance Sub Policy to POLICY (once TOPUP program is activated)
  6. RDL to POLICY
  7. Security Policy review (to POLICY?) (defining Escrow role?)
  8. CCS to POLICY
  9. Organisation-Assurance Policy review / rework (requires some preparation by the OA team)

Audit Team


Audit Activities in FY 2012 / 2013 had been limited to case handling on request, since the master plan to get CAcert Audit ready was not executed as planned.

Since April 2013, Benedikt Heintel is working as internal Auditor for CAcert. Between April and June no request was handled.


Starting in January 2014, it is planned to conduct a yearly internal Audit over CAcert. For this reason, an Audit plan will be created in January 2014 containing especially, but not limited to, Audit over CCA, Critical Infrastructure, Arbitration, and New Roots & Escrow Processes.

To build a strong audit capability, further internal Auditors shall be included in the Audit Team.

Benedikt Heintel
CAcert Lead Auditor


Team members, Admins, Others - Feel free to add anything you think is worth mentioning. Either as text or bullet list. The report will be edited in time before the AGM.

This report does not necessarily cover CAcert's financial year, but the period from last AGM until now.


After resignation of Daniel as Infrastructure Team Leader and admin, maintenance on Blog was stalled - the system was still running Debian Lenny and almost no updates and security updates were applied. In July 2013 Mario did a complete new setup of the system now running Debian Wheezy and migrated the old Wordpress 2.5 installation to the most recent Wordpress 3.5.2 vanilla version. The new installation features a working media gallery that allows authors to upload images and to include them in their posts and an update function that can easily install updates for Wordpress and plugins from the web admin interface. To ensure compatibility with the new wordpress version, a new theme was hacked up, and the client certificate authentication plugin was reimplemented and is now available from the wordpress plugin directory. The Client Certificate Authentication plugin allows users to login based on a matching email address in the client certificate and in wordpress, and creates new users automatically and grants them author privileges. Also, SSL related issues were fixed with the upgrade. The admin list in the application was cleaned and privileges have been granted to Marcus Mängel and Alexander Bahlo (in addition to the system admins) allowing them to initiate Wordpress and plugin updates, and to manage plugins. Martin was appointed as system administrator for Blog and will care about keeping the Blog up, running and updated. Changes in the output of the RSS feed broke the display of the news item teasers on the CAcert start page. Martin prepared a patch for LibreSSL that features proper XML parsing of the news feed.



In May 2013, Jan updated SVN to the latest Debian release Wheezy. The upgrade went very smooth without any problems.


From April 2013 until July 2013 we were experiencing severe load problems caused by the wiki being hit by bots. By using files as data storage, MoinMoin got very slow on some actions. We have taken several counter measures, including: backported a fix from an upcoming MoinMoin version that improves the performance for the action rss_rc for single pages to which a link is included in every wiki page, remove the link to a fullsearch on the current page in the breadcrumb, run moin maint cleanpage to remove deleted and spam pages from the system, run custom script that deletes all users that have not subscribed to or edited any page (in total a number of ~8000 users were deleted, less than 1000 remaining). In June 2013, Martin performed an upgrade of the system to Wheezy and updated MoinMoin to the lastest version.


Alex Robertson took over the role of DRO just prior to the last AGM

It appears that only four arbitrators (two regularly active, one is busy but doing some work and another appears sporadically and then disappears again!) and one arbitrator in training are currently active. This means that long delays are likely to occur before non-urgent cases get processed. All of the currently active arbitrators have a caseload. There are several very old cases stalled because the arbitrators who have taken them on have not been seen in either team meetings or in relevant wiki updates.

Subsequent to the reporting period, one new arbitrator (Eva Stöwe) has joined the team and one (Joel Hatsch) has resigned.

Six team meetings were held during the report period – but attendance dwindled over time and it seemed pointless holding a formal meeting with only two attendees for after the report period.

The proposed rewrite of the DRP (mentioned in last year’s report) has stalled) – the person who volunteered to do this has not been heard from for many months.

Currently the arbitration team is struggling to cope with the flow of cases which means that the backlog is imcreasing and there is a desperate need to get more active arbitrators but there is the additional issue of having sufficient active experienced arbitrators available to effectively mentor new candidates.

Alex Robertson DRO

Arbitration Statistics 01 July 2012 to 30 June 2013

Cases Opened


Cases Closed


From 2013


From 2012


From 2011


From 2010


Current Status as at 5 Nov 2013

Cases currently in Arbitration


Cases awaiting Arbitration (< 1 year)


Cases awaiting Arbitration (> 1 year)


Precedent Cases Overview

Cases handled by support under precedent rulings

Arbitration Precedent Case

Handled following precedent by Support or Critical team

a20090525.1 Events scripted mailings


a20100210.2 Revoke assurance 24 hours / 3 days / 7 days after an event


a20111128.3 Delete Account cases which may be handled by SE - No Assurances given, no certs or certs expired


a20111204.3 Minor account data differences which may be handled by SE


a20101025.1 Removal of posts from mailing list archives




Arbitration Statistics

Statistics by Year (FY)

Statistics period July 2012 - June 2013

Long term statistics 2008 - 2013

Software Development Team

The software development team including software testers, developers and assessors continued their work to improve and fix the existing CAcert software.


Some testers where coming and going while there's a core tester group which continue to work away in each weekly "software assessment" meeting. So tests were done in a timely fashion. Marcus and Magu, who previously were mainly involved in testing the software, now did more development work, preparing changes for later review by the software assessors. With about 2.5 active software assessors, proposed changes get reviewed continuously but there is certainly room for improvement (mea culpa).


Over the past year we have resolved 165 issues while "only" 93 new ones were opened. That means we are down 72 open issues compared to last year. Of these 165 resolved issues, 58 resulted in a patch request to the critical admin team. But we can certainly improve on the average time until a bug gets fixed, which is 1,180 days at the moment. If you need more statistics, just head to the statistics page on our bug tracker.

Achievements Unlocked

New Achievements Available

Michael Tänzer
Software Assessment Team Leader

Critical System Administrator Team Report July 2012 - June 2013

Hardware changes

A major change made to the hardware infrastructure for the CACert servers in the past reporting period was the phasing out of the original webdb box (an old Intel Pentium 4 based PC) by migrating the webdb services to sun2. Otherwise, there were no component failures requiring a hardware replacement in the reporting period.

On-site activity

The log of visits to the hosting facility shows the following "on site" activities:

The total number of visits (7) was somewhat smaller than in the previous year (9), and only 2 of these 7 visits could be labelled emergency visits. These two consecutive visits, on 19 & 20 June 2013, were caused by a flaw in the serial number administration of the Class 3 certificates which had been introduced there many years ago (around May 2005) by the original operator of the service. After analysing the results of the first visit, another visit was made the next day to permanently solve the problem.

Off-site activity

All other (i.e. most!) system administration work has been performed remotely. Issues directly affecting the operation of the webdb server continue to be logged to the mailing list (archived at ) with headings like "configuration change webdb server", "security upgrades webdb server" or " checkin notification". This logging is also used for changes to all other services like DNS, OCSP etc. under critical-admin management. A total of 107 messages were posted on this mailing list during the year.

Webdb server

At the start of April 2013 the webdb server has been migrated to another hardware platform (sun2), with much better performance characteristics for this critical server. With 4 AMD Opteron cpus, 4 GB of internal memory and two 15000 rpm disks in mirror configuration, the response time of this system has improved tremendously.

In conjunction with the hardware migration, a software upgrade from the no longer supported Debian "Lenny" release to Debian "Squeeze" (oldstable) was performed, both for the system itself and for the chroot environment in which the web server runs.

The three disks of the old webdb server have been shredded meticulously with the GNU shred utility. They are still present in the locked hosting cabinet, awaiting removal to secure-u secure storage and eventually controlled destruction.

Other maintenance work on the webdb server during the reporting period involved:

thus making a total of 66 critical admin interventions for this server (previous year: 102).

DNS service

The DNS service has been continued in the same configuration as the previous year. Maintenance activities for this server boiled down to:

thus making a total of 20 critical admin interventions for this server (previous year: 30).

OCSP and CRL service

The OCSP service and CRL services have also been continued in the same configuration as the previous year. Maintenance activities for these services boiled down to:

thus making a total of 6 critical admin interventions for this server (previous year: 13).

The availability of the CRL service has been decreasing over the year. This is caused by a number of factors:

Note that we are routinely pushing out over 100 GB of data *per day* from just this server. Plans are being made to improve the situation in the next year, in a number of ways:

Backup service

The boxbackup server has also been continued unchanged, with maintenance activities limited to installing a number of OS updates:

thus making a total of 1 critical admin interventions for this server (previous year: 7).


The external firewall is managed and operated by Tunix, as a donation to CAcert. However, the critical admin team is responsible for providing the correct configuration instructions to Tunix for the firewall mgmt. In the past year 3 firewall change requests were generated and monitored (previous year: 6). In addition a discussion has been conducted with Tunix regarding the disappearance of the backup telephone line to the firewall.

A project has been started to replace the complete Tunix firewall by a new small-footprint and energy efficient setup based on two Alix cards. We hope to be able to complete the replacement before the end of 2013. In conjunction with this change, the switch configuration will be overhauled, in order to reduce the number of hardware components employed, and improve the redundancy in case of failure.

Infrastructure support

After migrating all (non-critical) infrastructure services to infra01 in the previous reporting year and providing it with its own external USB backup drive, very little support has been required from the critical admin team for this server.

Recommendations have been made for the acquisition of a more powerful and energy-efficient infrastructure server, to be donated by a hardware vendor. This new server will be deployed at the end of 2013.

Software Assessment Team support

We continued to support the Software Assessment Team by maintaining a test server (on a virtual machine) which looks as closely as possible to the production webdb server. A second similar test server is also maintained for special critical system tests and preparation of major software upgrades.

The patch process developed by the Software Assessment Team has resulted again in a significant number (54) of successful patch updates to the production server (previous year: 60).

Events team support

From time to time the events team wants to inform CAcert members about important events like Assurer Training Events and the like. These mailings are performed by adding a custom script to the webdb server and running it against the current database. Based on arbitration, such scripts are prepared by the events team and handed over to the critical admin team for installation and execution. 8 cases were handled in the past year.

Interaction with other teams

From time to time the critical admin team also receives requests from other CAcert teams like Support and Arbitration, which we try to handle as quickly as possible. The total number of e-mails processed or generated by the critical admin team during the reporting year amounts to around 1000.

Team changes

In March 2012 we found Martin Simons as a suitable candidate for reinforcing the critical sysadmin team, but due to the long time it took for the required ABC to complete, we could finally welcome him on November 1, 2012.


Plans for the coming year include:

Wytze van der Raay, Mendel Mobach, Martin Simons
Critical System Administrator Team


Overall status

Not directly connected to Public Relations, yet performed by Head of PR team

Plans for the future

Any help is appreciated!

Alexander Bahlo
Officer for Public Relations



Management of CATS and the Assurer Challenge

Not many news this year.

The CATS repository has been moved to github ( and documentation of the installation procedure has been created. Currently there is a problem with the question management, probably since the OS upgrade to to Debian Wheezy. Every modification to a question's text seems to set the text to empty! I hope I get to analyzing and fixing this soon...

No progress with translations.

During 2012 (numbers only available per calendar year), 72 PDF certificates and 10 printed certificates for passed Assurer Challenges have been issued.

Still there's no interface for Education to verify that a certificate applicant has collected 100 Assurance Points, so Support has to be contacted for every certificate request.

Some statistics for the time July 2012 to June 2013:

Prospects for next year

The same as last year:

Bernhard Fröhlich


In 2012/2013 we had 26 Events listed in total.

ATE Team

The ATE team consists of a mixture from several other teams. Education team, Audit team, Co-Audit team, Assurance team. The Assurer Training Events are an event form, to bring Assurers together, to get them trained and co-audited.

With a decrease in Audit activities (by several reasons) also the ATE activities decreased to ATE's by request.

Finaly we did run 5 ATE's. 3 in Germany, 1 in the United States and 1 in Australia.

ATE presentations are still based on the German "Bonn" presentation and English the "Manchester" presentations. Both can be found in the SVN under Education - Material

Co-Audit results

The server that was used in the past to enter co-audit results has been shut down. A backup is currently held by Iang. With the new infrastructure machine, the hope is, to get a machine with some webspace for the internal audit and also for the co-audited assurance program.


The Individual Assurance Program

Short: The Assurance Program receives reports from the Events organizers and ATE teams. The lack of event reports reaches a new high score in the negative - only 1 of 19 Assurance Events organizers and only 2 of 5 ATE Event organizers delivered event reports, that gives some feedback about current status of the assurance program.

The CAcert statistics counts approx 400 new assurers in the period 2012/2013 (520 in 2011).

TTP-assisted-assurance Program

TTP-assisted-assurance Program deployment

TTP-assisted-assurances TOPUP program

TTP-assurers seeding

TTP-assisted-assurances statistics

Organisation Assurance Team

New Root & Escrow Project (NRE)

Building Team

In relation of discuss about New Roots in several board meetings the NRE Team was built in mid Jun 2013. The NRE team have an initial meeting with a board member to discuss about next steps


Martin Gummi - NRE Project Manager


Ada Lovelace, a Computer Science student from UNC-Chapell Hill, did an internship on the BirdShack project over the (northern) summer period, being May 2012 to August 2012, inclusive.

Ada worked with Iang on the middleware server. We implemented a first cut of a REST-based middleware server in Java. This involved creation of objects to match all the Birdshack resources, objects to implement the REST pattern (create, read, update, delete), testing them for network sending and recoverability (a process we called the Ouroborous pattern), and construction of an object database that could store and recover the REST resources. Piers was press-ganged into final review of Ada's code.

During the process we discovered several issues.

  1. REST has no security architecture. As we were using techniques and network framework from an existing project called SOX, we inherited its security model. It remains to be seen if there are better options, but SOX is far better than nothing, and probably better than password / usernames over TLS. The choice of security model has many implications. For website language, Java is easier; the ability of other languages to contribute a website is somewhat reduced because of the lack of bindings, and if another model were used, we would need to align that with both languages.
  2. REST has no state, so state-rich transactions are difficult. For example, it is impossible in pure REST to create two objects that link to each other at the same time, as an atomic transaction (which is more or less a requirement of the original BirdShack design). To address this, we created two variations:

    1. promiscuous resources that could be created in advance, linked into other objects, and then changed to be a different final object.
    2. expiries on objects, such that if a failure to finalise a transaction occurs, the initial object will be cleaned up automatically by the backend database.

The combination of these two extensions allows transactions to be implemented with REST commands.

  1. It is not entirely clear that the REST model buys us much. From the perspective of security and state, once a proper model is implemented, it is also clear that implementing specialist access requests to do the specific BirdShack requirements is not that much more work, and gives great benefits in code solidity, reliability and especially security.

The next step in the BirdShack project would be to create a website that drives the REST-based interface according to user demands. This would be best in Java as the object bindings are already done, and we have the secure communications architecture in place.

The challenge would be to get enough of a website up and working to allow the whole site to be seen, and then features could be added incrementally by different programmers.

AGM/TeamReports/2013 (last edited 2013-11-17 02:55:21 by MartinGummi)