Contents
Background
CAcert uses roots as described at Structure of Roots and many other places. Because the existing roots have been deemed to be Audit Fail here, we have to create new ones.
Work List
This then means we need these things:
- technical organisation of roots:
Roots/Structure describes the hierarchy and relationship between the roots
Roots/Contents describes the internal fields in each Roots.
- ceremony for creation of root (s)
Roots/CreationCeremony is open as a place to develop this need
Roots/TechScript is where the geeky arcania can be collected
- storage securely on signing server
- escrow root securely for disaster recovery
Roots/EscrowAndRecovery is open for jotting notes...
- finally, when all is good, start the rollout procedure
Roots/RolloutProcedure is open for jotting notes...
Note that as we decide on the way to do this, the process should be transferred to the wip CPS and the wip Security Manual. These pages are the works-in-progress of the New Roots Task Force.
Proposals
- Creation an offine root to be stored securely (eg board controlled safety deposit box)
- Creation of sub-roots for different CAcert functions:
- Web of Trust (eg CAP)
- Remote Assurance (eg RAP)
- Organisation Assurance (eg OAP)
Creation of sub-roots for assured organisations (from which they can issue certificates)
Root cert chain testing
Please have a look on Roots/TestNewRootCerts to help testing the new model of root certificates.
Teams
The following teams:
Root Key Task Force |
software configuration and scripting |
|
|
Guillaume Rogmany |
in charge |
|
Teus Hagen |
|
Security Evaluation |
Philipp Gühring |
remote |
Crytical Systems |
system admin |
|
|
Wytze van der Raay |
in charge |
|
Mendel Mobach |
assists |
Oophaga |
servers and physical security |
|
|
Rudi Engelbertink |
in charge |
|
Rudi van Drunen |
|
|
Hans Verbeek |
|
Auditor |
Ian Grigg |
in charge |
Press & PR |
press contacts and news |
|
|
Maurice Kellenaers |
in charge |
|
Henrik Heigl |
|
Planning
Root Key Task Force is CAcert Sub-Committee installed by board motion m20081008.1 see Board decision list 2008. Task Force has the following members: Guillaume Rogmany, Teus Hagen, auditor (Ian Grigg) and advisory (Philipp Gühring).
Date and Location
The Root Key Generation (One Root Key and 2 sub-rootkeys) has been scheduled on 27th and 28th of November in Holland.
day |
tasks |
location |
people |
Wed 26 Nov |
travel |
to Venlo |
Root Key Task Force |
Thu 27 Nov |
travel |
to Venlo |
Auditor |
afternoon |
script testing |
Grubbenvorst |
Task Force, Auditor, Sec Evaluation |
Fri 28 Nov |
9 am, Key generation |
Echteld |
Task Force, Auditor, Crit-team |
afternoon |
3 pm, Key installation, back ups |
Ede |
Crit-team, Auditor, Oophaga |
Sat 29 Nov |
10 am, back ups |
Echteld, Tiel |
Crit-team, Oophaga |
afternoon |
travel |
to Paris |
Guillaume |
Sun-Tue 2 Dec |
audit project, policies |
Grubbenvorst |
Auditor,Teus |
afternoon |
travel |
to Vienna |
auditor |
Budgets
expense type |
description |
budget |
allocated |
Euro |
accomodation |
2 persons * 3 night * 125 |
750 |
250 |
0.00 |
travel |
train / car |
650 |
315 |
463.10 |
party |
5 persons |
400 |
|
182.50 |
unforeseen |
|
300 |
disks 147.50 |
10.00 |
total |
|
1100 |
|
655.60 |
Travel costs auditor are not included in this table. Costs disks went to Oophaga Foundation.
night accomodation
Grubbenvorst Guillaume and Ian at teus home address.
work location
Thursday 27th of November 2008: Grubbenvorst (teus/home): Guillaume and Teus.
Friday 28th Nov 2008: at Mobach Systems in Echteld. 10 am - 1 pm preparations and last tuning (Guillaume/Teus), 1 pm key generation ceremony (Guillaume/Teus/auditer). 10 am - 3 pm prepartions of critical system backups by Wytze and Mendel.
Friday afternoon key 3.30 pm two sub-root keys (Community Members and Assured Community Members) installation at BIT in Ede (see webcam BIT). Critical system admin team willl also install on Friday the backups and recover the backups on Saturday 29th of November 2008. Backups are on encrypted files systems. Passwords to encrypted files system backups are separated from physical Oophaga storage devices.
Friday night: physical destruction of the unencrypted keys: 10 pm USB stick with keys has been physically detroyed (Guillaume/Teus/Ian). Pictures are available of the action.
Key Generation Report
preparations
The preparations of the installation of required installation and tooling scripts (install.sh script), key generation scripts (ceremony.sh script), key copy script (CopyKey.sh) and clean/new installation of the Linux Ubuntu 8.10 on a 10 year old Pentium II Dell Compaq Despro PC with a 10 year old WD disk and 12 year old audio Creative Labs PCI card. Selection of hardware is done on base of old hardware just enough to provide a workable environment. Major work was to search for a hardware combination which provided a random number generator with high entropy profile based on randomsound, /dev/random and openssl. For entropy measurement three toolings were used and compared (and added) to the sig.cacert.at random generators overview table.
For key generation a fresh and locally compiled OpenSSL (latest) release was used. Java scripts have been used to support the signing of the (sub) root keys. The latest java scripts have been downloaded from the SUN Java distro. For this see the install.sh script.
Key Generation Ceremony
Keys are only generated from and to USB sticks. Swap has been stopped. Network connectivity has been stopped from this point up to deletion and cleaning of the PC and disks.
Key generation has been done with ceremony.sh script, supported with Java tooling for key signing. The process has been fully under 4 eyes principle (Guillaume, Teus, critical systems admin team and auditor). Passwords have never been visible to anyone present at the ceremony and are copied to separate USB sticks.
In total there has been made:
- 2 (mirrored) USB sticks with encrypted Root Key and labeled self signed Root certificate, 4 encrypted sub-root keys and labeled signed by Root Key key. These two USB sticks go together in escrow.
- 2 (mirrored) USB sticks with passwords of the encrypted 5 keys.
- 1 USB sticks with 4 encrypted Sub-Root Keys and labeled self signed Sub-Root keys certificates (a copy of the escrow Sub-Root keys). This USB is provieded to one critical system administrator.
- 1 USB stick with passwords of the encrypted Sub-Root keys. This USB is provided to the other system administrator.
- 1 USB stick with the public and signed keys, script logging files and certificate signing results test files. This key has been provided to critical system admininstrators and a copy of the stick to the auditor.
The USB stick used for key generation (source of keys) has been physically destroyed at Friday 28th of November by Teus/Guillaume under eyes of auditor.
The PC used at the ceremony has been dismantled from audio card used, CDrom drive used, and after threading (35 passes with the program shred) the disk drive. Reasoning: the combination of the hardware might influence the random generation and so the random number used in the key generation process. The keys used in the generation procedure have only be resided on RAM memory and USB sticks.
(Sub) Root Key installation
Two (out of four) Sub-Root Key files have been installed on the signing server at 3:30 pm on Friday 28th of November by critical systems administrators (Wytze/Mendel) from their USB sticks. The communication protocol has been updated to support the two new installed Sub-Root keys. Entrance to the rack with the signing server has been provided by Oophaga (Rudi Engelbertink).
TO DO
Before activating the signing with the two new Sub-Root keys the new keys will be tested by Philipp Gühring and others. The signed certificates will be tested for acceptance by different browsers (Mozilla, Internet Explorer, Opera, Safari, etc.) and key managers.
When policies have been accepted for the key signing (CPS) the new Sub-Root keys can be applied for signing.
Only the Sub-Root keys generated on this Key Generation event will then be used for the audit completion and if the audit is successful will be subjected for CA Root Key inclusion.