What do we want to know about
We started an opinion survey to find out if our Inc members share the same goals or possibly not. CAcert always claims to deploy digital certificates for free. But this is just a part of the story. CAcert wants to be included in the browser's certificate store. To get this done an audit is required or plenty of money. CAcert decided to pass the audit. The decision was easily done. But a status "audit ready" was never reached. Why?
If you have a deeper look into the history of CAcert you will find many reasons. One reason at all the time was money. Have a look to our motions page and see motions m20090609.1 and https://community.cacert.org/board/motions.php?motion=m20090612.5 . Money or better missing money is a big issue in CAcert Inc. But there have been other reasons apart from missing money.
The AGM 20081107 established the Audit as the priority of the committee with statement “we hold it as the primary objective for CAcert to enter Mozilla within 2009”. There was a time with enthusiastic emphasis. Have a look at Memorandum of Understanding At that time there was much hope and confidence to get the enormous efforts done in time. If you read the reports from that time listed on https://wiki.cacert.org/AuditPresentations, you will see much enthusiastic exaltation but also grief and unhappiness. But instead of stepping forward rumble grow up.
The president of CAcert during that time decided to resign from his position and wrote in his email from 2009-07-01: (https://lists.cacert.org/wws/arc/cacert-board/2009-07/msg00010.html) "In social theory the problem CAcert Inc and Community is phasing now is referenced as the 'road to Aberlee' casus: a group of persons who all had capabilities in tasting and eating food, has initiated the idea to have dinner in Aberlee, a small town nearby. Suddenly persons in the group start to take positions without having providing feedback or providing tons of arguments on differences in opinions and ideas over the restaurant choice. When cooperation and support for ideas seem to fall down the noise level is starting to awake the neighborhood and all skills are used to push it to the personal choice of restaurant. The support for the restaurant for the dinner falls away, the goal seems to be to defend one's position taken and no sorry will be heart. Next a vocal majority is blaming the other of the failure of the bad choice of just the restaurant nobody wanted to have dinner."
The external auditor commented his resign https://lists.cacert.org/wws/arc/cacert-board/2009-06/msg00049.html and wrote in his report: „there is some speculation that the resignation is over one thing, and we just have to fix that one simple thing. Or one person is to blame and we have to find him and mob him. This is wrong. There were many signs, and all of them pointed in the same direction. If they weren't seen, then that is part of the problem. „
The story of try and error, missing money, not helping each other and so forth is written down by the actors of that time in CAcert Annual Report 2009 (Page 10 etc.)
We could not find a document where all actors of that time wrote down the reasons of failures. The lessons to learn from that are in our opinion at least:
- good and trustful communication
- rough consensus in our collaborative work
- a strong will to work towards audit
- self-discipline to shoulder the efforts
and maybe much more.
The next bigger step towards audit was done in 2013 when Benedikt Heintel was nominated as an internal auditor and be tasked with setting up an internal audit team. Please see Motion m20131206.6. Benedikt presented a first audit plan which was accepted in motion m20140413.4.
A huge stumbling block has always been our root certificates. MD5 ist still present, SHA1 was replaced by SHA256. MD5 is an issue since 2009. Just refer to the report page 18. The external auditor wrote "The current set of Roots also cannot pass Audit."
We have a project running titled "New Root Escrow". And there are plans from the current board to go forward and implement the new root certificates latest until 2017-07-01. But we should do the next step first.
Currently we see several disjunct point of views which are presented by our membership. The current board wants to go forward taking bigger steps to get get audit ready. A different point of view is the emphasis that the community should strive CAcert to get audit ready. And we see more different opinions some of you may find using different communication channels.
We do not wonder about our former external auditor that he changed his positions and tells the world about
Our current board believes that a general shared understanding of our goals and targets is a necessary base for all of us to successful colloborate to step forward.
Because of this we want to know just a little bit of your point of view.
There was a plan to perform the „Root Re-sign Procedure“ on the eve of FOSDEM. This procedure has a long history in CAcert. We agreed with the leader of the critical team to perform this procedure. The teamleader wrote in an email dated from 2015-12-09: BIT has expressed its enthusiasm to participate in this ceremony, and has offered us the use of the large room in their ultra-new facility (to be opened on January 8, 2016!). This room has ample space for participants and spectators, we can have a marked zone in the middle of the room for the actual operation, and everything can be video-recorded if so desired. Do you want to accept this generous offer?
To our surprise we received an email telling us that the procedure should be postponed? No facts presented.
But the real world is moving on. There are so many parties each of them makes her own decisions. CAB-Forum e.g. is working on Baseline Requirements Redline The IETF moved MD5 to historic in 2011. That are just 2 parties. And there are many developers and maintainers of software packages like openssl or gnutls. The latter fixed an erroneous behaviour of gnutls in spring 2015 or http://gnutls.org/
Sometimes there is some surprise about the results as expressed here
This tweet leads us directly to some security news
which all are published in 2016!
All these parties and their actions have an impact on our activities pertaining our certificates. If we want to play a role in the world of CA's and certificates we must keep on running. This is our reason why we start an opinion survey.
Shall we perform the Root Resign Procedure?