Team Reports 2020
Team Leaders are encouraged to present a report for their team. (alphabetic order)
19 = Text from 2019, please replace!
booking.com – Hotel-buchen-Portal
This webshop with T-shirts, caps, mugs and more is run by secureU, a partner association from CAcert in Germany. The benefit is sent to us or used to pay bills for us.(Ru)
Since April 2018, CAcert has Amazon Affiliates links. Unfortunatley, there are different links for each different language/shop:
On the wiki, we have Google Ads on the top corner. To help CAcert, please allow your adblocker to show this ads. They are small, discrete and do not disturb you while writing or reading on the wiki.
Critical System Administrator Team
The critical team changed in November 2019 from Wytze, Mendel and Martin. Since then Joost and Dirk are members of the critical team.
Many many thanks for the work the former team members did over all the years.
=== On-site work ===
There had been two visits at the BIT data center in 2019/2020:
On the first visit there was the handover of the old critical team to Dirk. It took some time to get familiar with the setup afterward with the help of Wytze.
The second visit was in May to replace the broken signer hardware (and to do other maintenance tasks).
=== Outages of critical hard/software ===
We had a short outage of www.cacert.org in January, which was resolved by Access Team by doing a power-cycle (as requested by Critical Team remotely).
At the beginning of the Corona-Pandemic the signer broke, which caused some more issues: After we detected remotely, that the hardware did not consume power anymore, there was the decision to find a replacement machine before a visit at the data center takes place.
Due to corona-based delays the signer was offline for around 6 weeks until the hardware arrived, was prepared and a visit at the data center following our security guidelines was possible.
=== Day to day operation ===
Regular system administration activities resulting in site visits or software updates of one or more of the critical systems are dutifully reported on the public systemlog mailinglist firstname.lastname@example.org with archives kept at https://lists.cacert.org/wws/arc/cacert-systemlog . We refer the interested reader to those resources rather than duplicating or summarizing the information here.
=== Current status ===
The web service has gone without application maintenance for 3 years now, and is now left to run on an oldstable Debian distro with limited security patching. As time continues, that distro will become unsupported, leaving CAcert in a non-maintainable state.
=== Future outlook ===
To avoid any outages of the critical infrastructure there there is a decision to activate sun1 again and to add a second signer machine (hot standby) to the environment.
Without a fully functioning CAcert software development team, no changes to the application code have occurred in the past three years. Thus the CAcert application (written in PHP) is locking CAcert into an old and soon obsolete version of the Debian OS. In April 2018 we did complete the upgrade of the webdb server to Debian Jessie, the "oldstable" release from Debian. As predicted in last year's report: this causes a permanent stream of PHP warning messages in the Apache logfiles, because the application code is using obsoleted constructs. But an upgrade to Debian Stable is not possible with the current PHP code base, due to its dependency on an obsolete mySQL database interface layer, which is not supported anymore in the PHP version bundled with Debian Stretch, the current Debian Stable.
Without the ability to upgrade the application platform to a well-maintained version of Debian, the Critical System Administrator Team will be unable to take responsibility in the near future for the safe and correct operation of CAcert's main server, the web application and database server. (da)
=== Access Team ===
There had been three visits at the datacenter in FY 2019/2020:
The handover to new critical team in November 2019.
Doing a power cyle on sun2 in January 2020 as requested by Critical Team. Critical team was then able to access the hardware again via remote console to activate the services again.
As all access team members were limited due to corona-restricions a new member (without selfstanding access) was added to the team temporary, so necessary maintenance-tasks and replacement of the signer machine was possible in May. (da)
CAcert had a booth at Froscon 2019 with secure-u. The interest at CAcert is still active, but moved from "server certificate"-requests to "client certificate"-request (identity).
For other events there was no application due to personal and time limitations.
Currently the events team is quite small, any help to help the events-team is appreciated. (da)
A new (refurbished) server was offered by abilit.eu, which is currently running outside of the datacenter.
This usage of this infra03-server will be to take some load of infra02, so both servers can act as a backup to each other. It will be installed at the datacenter at the next visit of the critical team.
Several virtual infrastructure servers had been update to more recent software and added to Puppet.
Currently there is a progress to add new members to the infrastructure-team (and maybe to Critical Team). (da)
New Root & Escrow Project (NRE)
Organisation Assurance Team
Lead (no head exists) didn't manage to build a good working OA team. This is a) because OA assurances are quite complicated to perform, and b) because due to Corona business workload has raised to 2 times and rather no time for CAcert left
- Eventually the encouraged CAcert Assurer in Pennsylvania, USA is still available for help in case someone may take over the task. He seems very encouraged to help and I'm trying.
- Anyone willing for networking and building a team and exchange ideas really helps as I got overworked in the past months.
Head didn't manage to build a good working team. This is because due to Corona business workload has raised to 2 times and rather no time for CAcert left
- On FrOSCon event we noticed increased interest on client certificates for mail exchange, but due to recent changes in Firefox, Adobe Reader and mail software, CAcert client certificates are nowadays less useful than they were last years.
- CAcert's website does not make Firefox any more generating private key, and uploading public cert to website, so the automatic signing process doesn't work out any more
- Adobe's pdf reader does not trust CAcert's client certificate any more and shows "untrusted" "error", while it didn't care about the public trust before
- Mail programs (especially for Windows) don't trust CAcert's client certificate any more and show "errors", while they didn't care about the public trust before
- These obstacles make public use of our client certificates not useful any more, but even for client certificates we are not limited to CAcert's community or at least technically advanced people
- Head is deeply grateful that Etienne Ruedin has done an amazing job for promoting CAcert to the public, and writing many important blog articles.
- Due to workload of main job encourages other people to take over his job, but is still available unless someone found
- Current list of Affiliate Links should be promoted again and made publicly visible for better support.
- Continue writing book "CAcert for dummies"
- More team members for giving ideas and writing text
- Looking for native speakers in english and spanish writing and translating text into their language for blog posts, Twitter and social media as well as articles for news and magazines
Software Development Team
Within the FY 2019/2020 no new patches had been installed on our WebDB-Server (www.cacert.org).
There are some changes in the queue currently to add a serial number to the CRL and to reduce the size of the CRL.
But ... the number of Software-team-members is quite low, we're in urgent need of ABCed software-assessors. (da)
There is a more-or-less static flow of members wanting their CAcert-Account closed. Most members never received an assurance (and therefore never gave one). If a reason to close the account is given, it's usually a move to another CA.
Within FY 2019/2020 only a very small number of cases had been moved to dispute-queue.
Processing support-tickets is quite slow as the number of support members is quite low.
Triage is doing it's work very well, sometimes they add a note to incoming tickets, so support team members can use this as an answer to the member.
Support Team is in urgent need of new support team members, which is currently in progress. (da)
Translation / Localisation
CATS is now available in Czech. A French translation is waiting for review (for several months now).
After there was a donation-request in September 2019, a lot of donations were received by secure-u, which allowed to reduce the invoices to CAcert Inc. enormously and to buy replacement hardware to ensure a sustainable operation of the hardware.
Since then there is a steady flow of donations to ensure the (financial) future of CAcert. (da)