<<TableOfContents()>>
= Preamble =
== Background ==

CAcert uses roots as described at [[FAQ/TechnicalQuestions#Structure_of_Roots|Structure of Roots]] and many other places.  Because the existing roots have been deemed to be  ''[[Audit/CommunityReport20080902|Audit Fail]]'', we have to create new ones that are capable of passing a future audit.  Also, this project has taken on more urgency because of the deprecation of MD5 and the general weakening of the roots over time.

== Authority ==

The Board authorises creation of roots and subroots from time to time.  The procedures are authorised under [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#9.2|DRAFT Security Policy]] and are indexed into the [[SecurityManual#RootKeyManagement|Security Manual]].  Also see the [[http://www.cacert.org/policy/CertificationPracticeStatement.php|wip DRAFT]].

= Process =

Discussion on the project is at [[https://lists.cacert.org/wws/info/cacert-policy|cacert-policy maillist]].  You can [[https://lists.cacert.org/wws/subscribe/cacert-policy|subscribe here]] and [[https://lists.cacert.org/wws/arc/cacert-policy|read the archives]].

This wiki page is freely editable. Add tasks where needed. Add questions if needed.

= Tasks =

 || Task || Responsibility || References || Status ||
 || Re-sign class 3 || Critical Team Leader || [[Roots/Class3ResignProcedure|Re-sign Procedure]] || procedure written and tested, authorised as [[https://community.cacert.org/board/motions.php?motion=m20110515.2|m20110515.2]] ||
 || PR for Class 3 Re-sign || Community || [[https://community.cacert.org/board/motions.php?motion=m20110515.3|m20110515.3]] || ||
 || [[Roots/EscrowAndRecovery|Escrow and Recovery]] || Board || [[Roots/EscrowAndRecovery]] || [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100306|board meeting 20100306]]<<BR>>[[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100321|board meeting 20100321]]<<BR>>[[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20130310|board meeting 20130310 ff.]] ||
 || [[Roots/Structure||root structure]] correct? || Policy Group ||  [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] [[https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00001.html|discuss]] || under review 20090305 ||
 || [[Roots/Contents||root certificate format]] correct? || Policy Group with Technical Input ||  [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]]  [[https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00001.html|discuss]] || under review 20090305||
 || [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#9.2|security policy]] correct? || Policy Group ||  || ||
 || [[SecurityManual#RootKeyManagement|security manual]] correct? || critical systems administration team leader|| || ||
 || [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] correct? || Policy Group ||  || CPS to DRAFT [[PolicyDecisions#p20090706|p20090706]] <<BR>>CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets [[PolicyDecisions#p20091108|p20091108]] <<BR>>CPS #7.1.2 "Certificate Extensions" adjustments [[PolicyDecisions#p20111113|p20111113]] ||
 || Software Changes (todo break into detail) || software team || || waiting on root structure/format definition ||
 || New Root Creation || critical team || [[Roots/CreationCeremony|ceremony for creation of root(s)]] [[Roots/TechScript|tech stuff]] || waiting on confirmation of root structure/content ||
 || New Root testing || anyone || [[Roots/TestNewRootCerts]] || waiting on Root Creation ||
 || Early Root Distribution || DanielBlack || linux distros || waiting on Root Creation ||
 || New Root deployment || critical team + assistance || fill in details [[Roots/RolloutProcedure|rollout procedure]] || dry run being conducted with [[Roots/Class3ResignProcedure/Migration|Class 3 Re-Sign Project]] ||
 || Blogs / Press releases etc || || as above || dry run being conducted with [[Roots/Class3ResignProcedure/Migration|Class 3 Re-Sign Project]] ||
 || Decommision Old roots || critical team || || ||

= Unresolved Issues / Documentation Task List =

These need to be addressed with written procedures:

 * Creation of an offine root escrow method at [[Roots/EscrowAndRecovery]]
   * [[Roots/CompromiseStrategy]] should be reviewed.
 * Creation of sub-roots for different CAcert functions:
  * Web of Trust (eg CAP)
  * Remote Assurance (eg RAP)
  * Organisation Assurance (eg OAP) (from which our organisations get their certs)
 * [[Roots/OrganisationSubRoots|Creation of sub-roots for assured organisations]] (from which organisations can issue certificates from their own sub-root)
 * Revocation process.
 * Future requirements may include [[Roots/HSM]].

= Questions =

 || Question || by || Answer/Opinion || by ||
 || || || || ||

== Planning ==

 1. Verify new roots are technical designed right
 1. Verify governance framework (CPS, SP, SM) are good
 1. Develop software changes
 1. Plan deployment 

= Historical =

== Timeline ==

Most recent at top.

 * [[https://community.cacert.org/board/motions.php?motion=m20100117.3|m20100117.3]]:
   . ''RESOLVED, that the existing root may not be used to sign any new sub-roots, and that the board receive reports from affected teams with a view to the issuing of a new offline root with multiple sub-roots.'' 
 * An opportunity for using [[HAR2009]] was suggested but did not work out.
 * [[Roots/20081128]] resulted in the creation of Top-level root and 2 subroots (Member & Assured).  However the follow-up phases did not complete.
 * A meeting at or around 20081002 worked through the software and shook out bugs.
 * Planning for the new roots started around mid 2008, as part of the "May Plan."
 * At Top 2007, auditor announced that the old roots had to be replaced.
= References =

 * [[Roots/Library]] lists the deeper references:  policies and old decisions:
 * [[http://www.cacert.at/cgi-bin/rngresults/|PG's CAcert Research Lab: Random Number Generator Results]]

----
 . [[Roots/StateOverview|Roots States Overview]]
 . CategoryAudit
 . CategoryNewRootsTaskForce