Other Tasks:

Robust SSH library

A robust library that provides full SSH capabilities (SSH-Tunnels, ...) that can be used in other applications, and the necessary wrappers for common languages like PHP, Perl, ...

ELF Signing and ELF-Loader-Signature Verifying

We would like to have X.509 and/or OpenPGP based ELF signing tools and improved ELF-Loaders that can enforce signature verification on load. There are several projects that are working on it, but none seems to be complete yet: http://wiki.cacert.org/wiki/CodesigningCert#head-6bbdb82bb3228b4a676f589f48b9c0e1d1fefff2

Secure Compression

We are seaching for a compression system (library, ...) which does not contain any checksums, avoids any recognizable structures in the compressed file as far as possible, and where every file is a valid compressed file that can be decompressed correctly. The compression factor should be similar or better than ZIP, but must not be better than ~ 1:100, even with extremely low entropy files.

Firefox Extension for HashServer

We would like to have a Firefox Extension that extracts the public key from each certificate Firefox processes, calculates the SHA-1 sum of it, and looks it up in a blacklist that is regularly updated from http://hashserver.cacert.org/ In case a compromised key is found, the user is alerted.

See also ...

LUKS Security

Find a solution to tell LUKS/DM-Crypt in case of emergency to wipe all the keys in memory, block disk access, and ask for the passwords on the console again. Perhaps a /proc file interface like /proc/sys/dmcrypt/emergency would be helpful.

LUKS Robustness

Currently LUKS is usually using hardcoded devicenames, which causes a problem when race-conditions result in randomly different devicenames upon booting (/dev/sda <-> /dev/sdi). In those cases LUKS doesn't find the encrypted harddisk anymore, and can't boot. Find a solution that LUKS does not depend on the hardcoded values anymore (perhaps still use them as default for the first try, but the encrypted partition isn't found there, then fall back to search for it on all other available devices) The solution should be then incorporated into Debian and Ubuntu (which are both affected by that problem)

Doesn't help Debian/Ubunu(?) but I've got this on mine (Daniel) - probably a recent udev version

/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part3                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part3                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part2                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part2                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part1                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part1                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part4                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part4                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0                                                    
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0        

Secure VPN

We are searching for a vendor that is able to deliver a secured Point-to-Point VPN solution that is designed for high-security environments. We are interested in 2-4 VPN boxes, with the following requirements: Strong casing, hardened TCP/IP stack, double encryption, no web-frontend, no IPSEC, independent security reviews (sourcecode availability preferred). Layer 2 bridging availability would be great. Must not allow internet access for any of the 2 networks that are connected through the VPN. It would be preferred to have the VPN in a Network-HSM style casing. A potential product: http://www.flexsecure.de/ojava/tunnelbox.html

Full Disk Encryption for OpenBSD

We could need a full disk encryption system for OpenBSD, preferably integrated into the installation process like Debian/Ubuntu Installer does it.