CAcert needs your help with the following tasks. You can register yourself on this wiki page when you want to work on it.

Priority Tasks:

Other Tasks:

Robust SSH library

A robust library that provides full SSH capabilities (SSH-Tunnels, ...) that can be used in other applications, and the necessary wrappers for common languages like PHP, Perl, ...

ELF Signing and ELF-Loader-Signature Verifying

We would like to have X.509 and/or OpenPGP based ELF signing tools and improved ELF-Loaders that can enforce signature verification on load. There are several projects that are working on it, but none seems to be complete yet: http://wiki.cacert.org/wiki/CodesigningCert#head-6bbdb82bb3228b4a676f589f48b9c0e1d1fefff2

Maintenance for Havege

Havege should be maintained, improved, packaged and if possible included into mainstream kernels: http://www.irisa.fr/caps/projects/hipsor/

Secure Compression

We are seaching for a compression system (library, ...) which does not contain any checksums, avoids any recognizable structures in the compressed file as far as possible, and where every file is a valid compressed file that can be decompressed correctly. The compression factor should be similar or better than ZIP, but must not be better than ~ 1:100, even with extremely low entropy files.

Firefox Extension for HashServer

We would like to have a Firefox Extension that extracts the public key from each certificate Firefox processes, calculates the SHA-1 sum of it, and looks it up in a blacklist that is regularly updated from http://hashserver.cacert.org/ In case a compromised key is found, the user is alerted.

Translatable Wiki

Please read http://svn.cacert.org/CAcert/HowTo/HowTo_Translingo.pdf and try it out on www.Translingo.org We are searching for a Wiki engine that is able to either use Translingo to translate the contents on the wiki, or to do a similar translation system internally. Please search for Wikis with translation functionality, test them, and provide a report about it.

Subversion Mimetypes

Find a solution to automatically set the mimetypes of newly added files (.pdf -> application/pdf , ...) on the subversion server. The problem we have is that we have too many different users with too many different clients, so it's impossible for us to tell every user to configure their client correctly to send the mimetypes correctly in the first place. Most clients automatically send application/octet-stream as mimetype, which makes the Apache-modsvn access difficult for the users.

LUKS Security

Find a solution to tell LUKS/DM-Crypt in case of emergency to wipe all the keys in memory, block disk access, and ask for the passwords on the console again. Perhaps a /proc file interface like /proc/sys/dmcrypt/emergency would be helpful.

LUKS Robustness

Currently LUKS is usually using hardcoded devicenames, which causes a problem when race-conditions result in randomly different devicenames upon booting (/dev/sda <-> /dev/sdi). In those cases LUKS doesn't find the encrypted harddisk anymore, and can't boot. Find a solution that LUKS does not depend on the hardcoded values anymore (perhaps still use them as default for the first try, but the encrypted partition isn't found there, then fall back to search for it on all other available devices) The solution should be then incorporated into Debian and Ubuntu (which are both affected by that problem)

Doesn't help Debian/Ubunu(?) but I've got this on mine (Daniel) - probably a recent udev version

/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part3                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part3                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part2                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part2                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part1                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part1                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0-part4                                              
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0-part4                                        
/dev/disk/by-id/ata-ST3250620AS_6QE0M5E0                                                    
/dev/disk/by-id/scsi-SATA_ST3250620AS_6QE0M5E0        

New Blog Software

A task for our new sysadmins: We are thinking about migrating blog.cacert.org to Mephisto: http://mephisto.stikipad.com/ Please setup a Wordpress installation, create a few users, post a few blog-entries. Then try a migration to Mephisto, and see how it behaves. Create a Debian package for Mephisto in case there is none yet.

Desirable Requirement: X509 authentication

Testsystem Image

We currently have a single testsystem on the internet: https://www.test1.cacert.at/ The sourcecode of the website is available on http://www.cacert.org/src-lic.php but it's very hard to setup into a working environment. We would like to have a VirtualBox/Qemu/VMWare image which includes a whole testsystem, so that every developer can easily setup a testsystem on his own machine, and that the developers don't interfere with each other.

Can we please document the version control and processes used to deploy new version? I think a system image that had the ability to svn pull the latest updates would be good so our developers aren't constantly needing to pull a new image.

Secure VPN

We are searching for a vendor that is able to deliver a secured Point-to-Point VPN solution that is designed for high-security environments. We are interested in 2-4 VPN boxes, with the following requirements: Strong casing, hardened TCP/IP stack, double encryption, no web-frontend, no IPSEC, independent security reviews (sourcecode availability preferred). Layer 2 bridging availability would be great. Must not allow internet access for any of the 2 networks that are connected through the VPN. It would be preferred to have the VPN in a Network-HSM style casing. A potential product: http://www.flexsecure.de/ojava/tunnelbox.html

Evaluate Sympa / Maillist requirements

Sympa promises to provide searchable archive, x509 capabilities, better ACL, better interface, and much more. Please evaluate those features, and a migration of Mailman to Sympa regarding for the CAcert infrastructure.

At the moment we are providing the standard mailman archive, but since we don't want to make it fully publicly accessible (spidering, spamming, ...), it's currently login protected for members of the mailinglists, and Google and other search engines can't index it and make it searchable. The standard archive interface of Mailman doesn't provide searching, so finding a solution for giving our users a search-interface to the mailinglist archive would be the idea.

Bugs.cacert.org

All public CAcert services should support X509 authentication / registration either directly or via OpenID or similar technologies.

community.cacert.org

All internal CAcert services like pop3s/imaps and SMTP should support X509 authentication rather than depending on another username/password. Documented SystemAdministration/Systems/Community. Need to move the comments there.

The webmail https:// should use X509 authentication (though webmail relys on imap for authentication so it could be interesting) (done - in latest stages of testing and waiting for next roundcube release - see SystemAdministration/Systems/Community).

wiki.cacert.org

All public CAcert services should support X509 authentication / registration either directly or via OpenID or similar technologies.

Full Disk Encryption for OpenBSD

We could need a full disk encryption system for OpenBSD, preferably integrated into the installation process like Debian/Ubuntu Installer does it.

Database optimisation

Investigate how we can tune our database and the database queries.

Unicode

CAcert wants to migrate to Unicode. Please join http://wiki.cacert.org/wiki/UnicodeTaskForce if you are experienced with Unicode.

IPv6

CAcert wants to offer it's services on both IPv4 and IPv6.

CAcert Feature Requests and Bugs

Developers please also see http://bugs.cacert.org/ whether there are any outstanding requests that are missing patches for them. Please develop patches for the open requests. Sourcecode is available from http://www.cacert.org/src-lic.php