Audit Results Session 2016.1

Audit Type

Operational audit

Report Status

Final Report

Audit initiated by

Directive of Board

Audit Subject

Root Certificate Re-Signing

Follow up status

2016-03-12 Send to Board for approval

2016-03-13 Approved by board in m20160313.1

Executive Summary

The cryptographic hash function MD5 is depreciated and its support will be removed from all browsers in the future. CAcert is using MD5 as hash algorithm in its self-signed root certificate. This would be no problem, since it is the trust anchor by itself but the removal of browser support will make the use impossible on one day.

For this reason, the software team created a github repository with scripts re-signing the current root certificates using SHA256 as signature algorithm; based on Bug 1305.

With a pre-defined and in Session 2015.4 tested process, the root certificate should be re-signed. This was executed successfully on 2016-03-12 in the secured facilities of CAcert's data centre.

Purpose, Scope and Methodology

Re-signing root keys is - as generating them - a significant task for a certificate authority. It should be carefully designed and monitored. To validate the correctness and completeness is therefore an important task.

The Audit was conducted as an inspection of the root resign process (SHA256sum: 367fd3cd8a07c3e2f5fcb2c5d050a7f8b017b04e85fa8589b3ef8b8bb2e1098a).

Audit Results and Recommendations

The procedure has been followed completely and successfully as described with the following derivations:

  1. The preparation phase steps 1 - 13 have been done twice because of a rouge USB thumb drive.

  2. Before preparation phase step 12 /var/cache/debconf/config. was locked by the live CD installer and therefore killed.

  3. In re-signing phase step 1, the time and date of the signer was set and the mirroring switched off.

  4. Made a mistake in re-signing phase step 6 (complain from main), inspected it, logged part of the private key to the typescript, deleted the typescript, started over with step 2 again.

All steps have been executed without disruption from non-related parties.

The recorded fingerprints are:

pubkey fingerprint of re-signing software signature key-pair

22cb 3904 6614 5cb4 aea1 0be1 7b38 b59b 317e 59ac 1884 3d40 f21b d092 2708 57f0

root_256.crt finger print

07ed bd82 4a49 88cf ef42 15da 20d4 8c2b 41d7 1529 d7c9 00f5 7092 6f27 7cc2 30c5

class3_256.crt finger print

f687 3d70 d675 96c2 acba 3440 1e69 738b 5270 1dd6 ab06 b497 49bc 5515 0936 d544

Following attendees signed the successful execution:

The internal Auditor holds:

  1. the Ubuntu Live DVD used for signing
  2. the USB thumb drive with the program input (from git)
  3. the USB thumb drive with the results, i.e.:
    1. checksums
    2. checksums.hash
    3. class3_256.crt
    4. main
    5. main.c
    6. main.o
    7. new.txt
    8. new3.text
    9. old1.txt
    10. old3.text
    11. root_256.crt
    12. script.prep


    14. signature
    16. timelog.prep

All of the above file are checked in to our SVN. For transparency reasons, all logs are attached here.






-- BenediktHeintel 2016-03-12 23:06:09

Audit/Results/session2016.1 (last edited 2016-05-10 12:24:54 by BenediktHeintel)