• To New Roots & Escrow Project - To Class3 Re-sign Procedure

• To Class3 Subroot Fingerprint - Sources - To PR Distribution list for Class3 Re-sign Project rollout

• To Class3 Subroot Re-sign project - Members and users FAQ

---

Class3 Re-sign - Migration Project May/June 2011

CAcert has embarked on an interim project to re-sign the Class 3 root. The project is inspired by the Mozilla announcement of Dates for Phasing out MD5-based signatures and 1024-bit moduli. Community members from the Software-Assessment Project team and Critical System Administrators team rose to the challenge to prepare, test and implement a class3 re-sign procedure.

The intention is to re-sign the class3 subroot with new sha256, and rollout the certificate. All issued class3 keys are still valid, because the class3 private key is still intact. It is similiar in process and effect to a certificate renewal. All users who uses a class3-issued cert have to replace the class3 subroot certificate in their browser, email client, or server (once only).

• The proposed procedure: Class3 Re-sign Procedure

Project timeline

• April/May 2011	authoring of Class3 Re-sign Procedure by Software-Assessment project team	{g}
  April/May 2011	testing of Procedure by Software-Assessment project team, Software-Testteam	{g}
  2011-05-15	presentation of procedure and test results to board for approval	{g}
  	Board meeting 2011-05-15 presentation, approval	{g}
  	Motions: m20110515.2 that we upgrade the class-3 root ...	{g}
  	m20110515.3 that we ask the community to prepare a press statement ...	{g}
  2011-05-23	Class 3 subroot re-signed according to procedure by Critical Sysadms Team	{g}
  2011-05-23	Exec report from Critical Team	{g}
  2011-05-25	bug# for source code changes: bug #946	{g}
  May 2011	prepare press release, blog post, members notifications to be presented to board	{g}
  May 2011	prepare support FAQ, present to SEs and support maillist	{g}
  2011-06-05	approval of press release, blog post, members notifications: m20110605.2	{g}
  2011-06-06	request for translations of press release	{g}
  2011-06-15 - 2011-06-20	proposed class3 subroot rollout date, send out press release, blog post	{g}
  2011-06-10	class3 subroot rollout day, sent out press release, blog post	{g}
  end+some days	from our experiences of this project, write up the procedure for rollout, so as to prepare for the Big New Roots Rollout	{g}

Sources where class3 fingerprints needs to be changed

• Class3 Fingerprint Sources

Press Release Distribution List

• PR Distribution list for Class3 Re-sign Project rollout

  • The Roots/Class3ResignProcedure/PressRelease

Prepared Help Page(s)

• FAQ Class3 Re-sign

Class3 Subroot Re-sign project on Software-Assessment Project meeting agendas

• 2011-06-14 22:00 Software-Assessment MiniTOP (telco)

• 2011-06-07 22:00 Software-Assessment MiniTOP (telco)

• 2011-05-24 22:00 Software-Assessment MiniTOP (telco)

• 2011-05-17 22:00 Software-Assessment MiniTOP (telco)

• 2011-05-10 22:00 Software-Assessment MiniTOP (telco)

• 2011-05-03 22:00 Software-Assessment MiniTOP (telco)

• 2011-04-26 22:00 Software-Assessment MiniTOP (telco)

• 2011-04-19 22:00 Software-Assessment MiniTOP (telco)

• 2011-03-29 22:00 Software-Assessment MiniTOP (telco)

• 2011-03-22 22:00 Software-Assessment MiniTOP (telco)

• 2011-02-22 22:00 Software-Assessment MiniTOP (telco)

• 2011-02-15 22:00 Software-Assessment MiniTOP (telco)

Class3 Subroot project related bugs

• Bug #665 "0000665: Intermediate level-3 certificate is MD5-signed" {g} closed

• Bug #946 "0000946: class3 subroot resign procedure - rollout" {g} closed

• Bug #950 "capnew.php TCPDF error, logo missing" {g} closed

Class3 compatibility checklist

• Hash algorithm interoperability

---

• CategoryAudit

• CategoryNewRootsTaskForce

• Root States Overview