Contents

  1. Background
  2. Work List
  3. Proposals
  4. Root cert chain testing
  5. Teams
  6. Planning
    1. Date and Location
    2. Budgets
    3. night accomodation
    4. work location
  7. Key Generation Report
    1. preparations
    2. Key Generation Ceremony
    3. (Sub) Root Key installation
    4. TO DO

Background

CAcert uses roots as described at Structure of Roots and many other places. Because the existing roots have been deemed to be Audit Fail here, we have to create new ones.

Work List

This then means we need these things:

  1. technical organisation of roots:
  2. ceremony for creation of root (s)
  3. storage securely on signing server
  4. escrow root securely for disaster recovery
  5. finally, when all is good, start the rollout procedure

Note that as we decide on the way to do this, the process should be transferred to the wip CPS and the wip Security Manual. These pages are the works-in-progress of the New Roots Task Force.

Proposals

Root cert chain testing

Please have a look on Roots/TestNewRootCerts to help testing the new model of root certificates.

Teams

The following teams:

Root Key Task Force

software configuration and scripting

Guillaume Rogmany

in charge

Teus Hagen

Security Evaluation

Philipp Gühring

remote

Crytical Systems

system admin

Wytze van der Raay

in charge

Mendel Mobach

assists

Oophaga

servers and physical security

Rudi Engelbertink

in charge

Rudi van Drunen

Hans Verbeek

Auditor

Ian Grigg

in charge

Press & PR

press contacts and news

Maurice Kellenaers

in charge

Henrik Heigl

Planning

Root Key Task Force is CAcert Sub-Committee installed by board motion m20081008.1 see Board decision list 2008. Task Force has the following members: Guillaume Rogmany, Teus Hagen, auditor (Ian Grigg) and advisory (Philipp Gühring).

Date and Location

The Root Key Generation (One Root Key and 2 sub-rootkeys) has been scheduled on 27th and 28th of November in Holland.

day

tasks

location

people

Wed 26 Nov

travel

to Venlo

Root Key Task Force

Thu 27 Nov

travel

to Venlo

Auditor

afternoon

script testing

Grubbenvorst

Task Force, Auditor, Sec Evaluation

Fri 28 Nov

9 am, Key generation

Echteld

Task Force, Auditor, Crit-team

afternoon

3 pm, Key installation, back ups

Ede

Crit-team, Auditor, Oophaga

Sat 29 Nov

10 am, back ups

Echteld, Tiel

Crit-team, Oophaga

afternoon

travel

to Paris

Guillaume

Sun-Tue 2 Dec

audit project, policies

Grubbenvorst

Auditor,Teus

afternoon

travel

to Vienna

auditor

Budgets

expense type

description

budget

allocated

Euro

accomodation

2 persons * 3 night * 125

750

250

0.00

travel

train / car

650

315

463.10

party

5 persons

400

182.50

unforeseen

300

disks 147.50

10.00

total

1100

655.60

Travel costs auditor are not included in this table. Costs disks went to Oophaga Foundation.

night accomodation

Grubbenvorst Guillaume and Ian at teus home address.

work location

Thursday 27th of November 2008: Grubbenvorst (teus/home): Guillaume and Teus.

Friday 28th Nov 2008: at Mobach Systems in Echteld. 10 am - 1 pm preparations and last tuning (Guillaume/Teus), 1 pm key generation ceremony (Guillaume/Teus/auditer). 10 am - 3 pm prepartions of critical system backups by Wytze and Mendel.

Friday afternoon key 3.30 pm two sub-root keys (Community Members and Assured Community Members) installation at BIT in Ede (see webcam BIT). Critical system admin team willl also install on Friday the backups and recover the backups on Saturday 29th of November 2008. Backups are on encrypted files systems. Passwords to encrypted files system backups are separated from physical Oophaga storage devices.

Friday night: physical destruction of the unencrypted keys: 10 pm USB stick with keys has been physically detroyed (Guillaume/Teus/Ian). Pictures are available of the action.

Key Generation Report

preparations

The preparations of the installation of required installation and tooling scripts (install.sh script), key generation scripts (ceremony.sh script), key copy script (CopyKey.sh) and clean/new installation of the Linux Ubuntu 8.10 on a 10 year old Pentium II Dell Compaq Despro PC with a 10 year old WD disk and 12 year old audio Creative Labs PCI card. Selection of hardware is done on base of old hardware just enough to provide a workable environment. Major work was to search for a hardware combination which provided a random number generator with high entropy profile based on randomsound, /dev/random and openssl. For entropy measurement three toolings were used and compared (and added) to the sig.cacert.at random generators overview table.

For key generation a fresh and locally compiled OpenSSL (latest) release was used. Java scripts have been used to support the signing of the (sub) root keys. The latest java scripts have been downloaded from the SUN Java distro. For this see the install.sh script.

Key Generation Ceremony

Keys are only generated from and to USB sticks. Swap has been stopped. Network connectivity has been stopped from this point up to deletion and cleaning of the PC and disks.

Key generation has been done with ceremony.sh script, supported with Java tooling for key signing. The process has been fully under 4 eyes principle (Guillaume, Teus, critical systems admin team and auditor). Passwords have never been visible to anyone present at the ceremony and are copied to separate USB sticks.

In total there has been made:

  1. 2 (mirrored) USB sticks with encrypted Root Key and labeled self signed Root certificate, 4 encrypted sub-root keys and labeled signed by Root Key key. These two USB sticks go together in escrow.
  2. 2 (mirrored) USB sticks with passwords of the encrypted 5 keys.
  3. 1 USB sticks with 4 encrypted Sub-Root Keys and labeled self signed Sub-Root keys certificates (a copy of the escrow Sub-Root keys). This USB is provieded to one critical system administrator.
  4. 1 USB stick with passwords of the encrypted Sub-Root keys. This USB is provided to the other system administrator.
  5. 1 USB stick with the public and signed keys, script logging files and certificate signing results test files. This key has been provided to critical system admininstrators and a copy of the stick to the auditor.

The USB stick used for key generation (source of keys) has been physically destroyed at Friday 28th of November by Teus/Guillaume under eyes of auditor.

The PC used at the ceremony has been dismantled from audio card used, CDrom drive used, and after threading (35 passes with the program shred) the disk drive. Reasoning: the combination of the hardware might influence the random generation and so the random number used in the key generation process. The keys used in the generation procedure have only be resided on RAM memory and USB sticks.

(Sub) Root Key installation

Two (out of four) Sub-Root Key files have been installed on the signing server at 3:30 pm on Friday 28th of November by critical systems administrators (Wytze/Mendel) from their USB sticks. The communication protocol has been updated to support the two new installed Sub-Root keys. Entrance to the rack with the signing server has been provided by Oophaga (Rudi Engelbertink).

TO DO

Before activating the signing with the two new Sub-Root keys the new keys will be tested by Philipp Gühring and others. The signed certificates will be tested for acceptance by different browsers (Mozilla, Internet Explorer, Opera, Safari, etc.) and key managers.

When policies have been accepted for the key signing (CPS) the new Sub-Root keys can be applied for signing.

Only the Sub-Root keys generated on this Key Generation event will then be used for the audit completion and if the audit is successful will be subjected for CA Root Key inclusion.