= Incident i20130810.1 =
  * Incident Number: i20130810.1
  * Status: finished
  * Incident Manager: name manager
  * Date of incident opened: 2013-03-30
  * Date of incident closed: 2013-05-09
  * Incident title: Potential loss of CAcert Root Certificate credentials


== History Log ==
 . 2014-03-30: Incident i20130810.1 documented, initially documented in [[Audit/Incidents/priv/i20130810.1|private part]]
 . 2014-05-09: Published full incident report
 . 2014-07-05: Added link to private part

== 1. Incident Response Team ==
 * Internal Auditor
 * Critical Sys Admins
 * Access Engineers

== 2. Incident Description ==
An external party informed CAcert about [[ https://microca.st/oshepherd/comment/R0xY0S_JQj-bSXcBREdTFg | statements]] claiming to have evidence, that CAcert has "no idea what was happening with their root certificate.", that CAcert's root certificate keys (root keys) have been stolen and are for sale on the black market.

== 3. Containment Actions ==
 * Critical Sys Admins have been questioned about this claim. They could not remember any incident since 2008 since the root certificates moved from Australia to the Netherlands.
 * Access Engineers have been questioned and could prove the Critical Sys Admins' statement right.
 * The initial Author of the post said he had no other evidence than the [[https://lists.gnu.org/archive/html/savannah-hackers-public/2008-10/msg00006.html | statement ]] he found in a mailing list.

== 4. Root Causes ==
The statement could not be proven right, it seems to rely on another [[https://lists.gnu.org/archive/html/savannah-hackers-public/2008-10/msg00006.html | statement ]] with no clear source. However, the auditor cannot be sure, that the root keys are not copied. What makes it unlikely that an leak happened is, that since 2008 we did not encounter any unauthorized used of the CAcert root keys.

=== Resolution ===
'''The internal auditor cannot see any evidence for this claim'''. He proposes to create and execute a project to generate new root certificates (see 8.) to keep a clean track record until the End of 2014.

== 5. Permanent Corrective Actions ==
No permanent corrective actions apply.

== 6. Verify Corrective Actions ==
Obsolete

== 7. Preventive Actions ==
To prevent that potentially leaked root keys can be abused, the [[ http://wiki.cacert.org/Roots/EscrowAndRecovery/NRE | New Roots & Escrow Project ]] has been started in order to create new root certificates with securely kept root keys.

== 8. Approval & Closure ==
|| '''Approved by Board''' || 2014-04-13 in [[https://community.cacert.org/board/motions.php?motion=m20140413.5|m20140413.5]]||
|| '''Date closed'''       || 2014-05-09 ||

----
 . CategoryAudit
 . CategoryIncident