Team Reports 2018

Team Leaders are encouraged to present a report for their team. (alphabetic order)

17 = Text from 2017, please replace!

AffiliateProgramme – Hotel-buchen-Portal

This webshop with T-shirts, caps, mugs and more is run by secureU, a partner association from CAcert in Germany. The benefit is sent to us or used to pay bills for us.(Ru)


Since April 2018, CAcert has Amazon Affiliates links. Unfortunatley, there are different links for each different language/shop:


On the wiki, we have Google Ads on the top corner. To help CAcert, please allow your adblocker to show this ads. They are small, discrete and do not disturb you while writing or reading on the wiki.


We need more arbitrators. Case manager is a little easier as essentially administrative role. Promortion path is essentially moving through the training process in the Arb wiki. We have one active case managers, two active arbitrators and two inactive arbitrators (as both are officers); a third arbitrator turns up from time to time. Arbitration cannot handle more than two at a time as new members are meant to be mentored through the training. It's also about getting the right members - they need some legal understanding in common law to go on to full arb - but also need a degree of flexibility to make things work. If they are too dogmatic, issues occur. The priority is to find two case managers. (uk)

Another point is the ABC. Discussion startet between Arbitration and a senior member to look if there is a way out to solve the "broken" situation. Furthermore, an active DRO might be empowered to ensure that cases don't stagnate.

In september 2018 the committee from CAcert Inc, acting as DRO, confirmed, that members of the support team with an ABC are following Art. 1.3. DRP COD7 by default case managers. This reduces the lack of case managers a little. (ru)



Audit Team

Critical System Administrator Team

A note on translations (September 2018)

Pulling in new translations from the translation server to the webdb server has not been done since March 2015 (more on that below), so we just did it, triggered by a request from Etienne Ruedin, and discovered that we had to adjust the webdb firewall script first, because the (recently updated) translations server insists on offering the data over https rather than http.

In the past, when we had an active software development group, most of their patch requests would be accompanied by a request to synchronize the webdb server with the translations server, so new translations were pulled in fairly regularly. Unfortunately, there haven't been any software patch requests since August 2015, even though they are very much needed...

Note that software changes which involve changes or additions to the message strings in the user interface also require the current set of strings to be uploaded from the webdb server to the translations server. There have not been such changes since 2015, but we exercised that upload procedure (make upload) anyway, to discover that it does not work anymore. This is due to the recent updates of the translations server, so we sent a request to Jan Dittberner to assist us in fixing this, which he gracefully did right away. At least translation updates are back in service now.

As you may note from the above, we are not very optimistic about the future of CAcert. The web service has gone without application maintenance for 3 years now, and is now left to run on an oldstable Debian distro with limited security patching. As time continues, that distro will become unsupported, leaving CAcert in a non-maintainable state.

Day to day operation

Regular system administration activities resulting in site visits or software updates of one or more of the critical systems are dutifully reported on the public systemlog mailinglist with archives kept at We refer the interested reader to those resources rather than duplicating or summarizing the information here.

Future outlook

The interest in CAcert is diminishing, not only within the user base, but also with the Critical System Administrator team. Besides general market circumstances there is also a major problem emerging due to the aging of the CAcert application code.

Without a fully functioning CAcert software development team, no changes to the application code have occurred in the past three years. Thus the CAcert application (written in PHP) is locking CAcert into an old and soon obsolete version of the Debian OS. In April 2018 we did complete the upgrade of the webdb server to Debian Jessie, the "oldstable" release from Debian. As predicted in last year's report: this causes a permanent stream of PHP warning messages in the Apache logfiles, becaise the application code is using obsoleted constructs. But an upgrade to Debian Stable is not possible with the current PHP code base, due to its dependency on an obsolete mySQL database interface layer, which is not supported anymore in the PHP version bundled with Debian Stretch, the current Debian Stable.

Without the ability to upgrade the application platform to a well-maintained version of Debian, the Critical System Administrator Team will be unable to take responsibility in the near future for the safe and correct operation of CAcert's main server, the web application and database server.



CAcert had a booth at Froscon 2017 (next to secure-u) and OpenRheinRuhr 2017 (together with secure-u). On Fosdem it was not able to get a booth, but I was present with CAcert-clothing at the infodesk.

The booth at Froscon 2018 was just granted.

There is the "Paris"-group doing monthly events in France, I met Alain at Fosdem.

Currently the team is quite small, any help to increase the team is appreciated. (As)

Infrastructure is kept uptodate to the latest Mantis-software-releases. Certificate-Login for Class-1 and Class-3 was added and is working. is kept uptodate to the latest wiki-software-releases. Certificate-Login for Class-1 and Class-3 is working. was shutdown due to GDPR-issues. I'm still following the sks-mailing-list for a progress there. is kept uptodate to lhe lastes Wordpress-software-releases. Certificate-Login for Class-1 and Class-3 is working. is still an old OTRS-version on an older debian release. Tests had been made to update the system to a newer release. Plan is to update the system and establish certificate-login there, too. (As) has been replaced with a new setup with proper IRC services based on atheme-services and a modern Web IRC client. has been upgraded and fixed so that it works again properly.

A lot of work has been put into Puppet infrastructure code for the CAcert infrastructure containers and Infrastructure documentation.

Some of the infrastructure systems could need a refresh. An upgrade of the infrastructure host that would allow to use a more recent LXC version, has been delayed due to lack of time.

New Root & Escrow Project (NRE)

Organisation Assurance Team

Policy Group

Policy Group has 280 (+3) members (as of october 2018). Sixteen (+3) of them where involved in the following discussions:

Discussions January 2018:

Discussions March-April 2018:

No vote was held in this period. (Ru)


The former PR officer, together with the secretary, is active on the various communication channels as twitter, blog, mailing lists and social networks.Furthermore a small group of two took over the "CAcert for dummies" project and started writing first chapters.

We are looking especially for native speakers in english and spanish who like to help practically in terms of giving ideas, writing text, and translate text into their language for blog posts, Twitter and social media as well as articles for news and magazines. Any voluntary please talk to or write to

Software Development Team

Within the FY 2017/2018 no new patches had been installed on our WebDB-Server (

There are some changes in the queue currently to add a serial number to the CRL and to reduce the size of the CRL.

A request by support-team (TLS for outgoing ping-mails) should be ready soon.

Another mayor change is the rollout of the resigned root-key (from 2016).

A big drawback was the loss of the previous testserver-environment, which was accessible at it-sls-domain. As there was some missing communication form the former software-TL the remaining members were not aware of the backup-system. To gain access to the webdb-testserver, testmanagement and CATS-test-environment took some time, but our team now has all necessary access-rights.

Currently there is some progress to get some developers and testers to the team, maybe it's possible to teach them doing reviews (software-assessment), too.

But ... the number of Software-team-members is quite low, we're in urgent need of ABCed software-assessors. (As)

Support Team

There is a more-or-less static flow of members wanting their CAcert closed. Most members never received an assurance (and therefore never gave one). If a reason to close the account is given, it's usually a move to another CA.

In the last weeks the number of issues with Ping-Mails raised, therefore a change was requested at Software-Team to solve this issue.

Within FY 2017/2018 only a very small number of cases had been moved to dispute-queue.

Processing support-tickets is quite slow as the number of support members is quite low.

Support Team is in urgent need of new support team members.

Triage is doing it's work very well, sometimes they add a note to incoming tickets, so support team members can use this as an answer to the member. (As)

Translation / Localisation

Pulling the new translations from the translation server to the webdb server had not been done since March 2015 (more on that below), so I just did it, and discovered that I had to adjust the webdb firewall script first, because the (recently updated) translations server insists on offering the data over https rather than http. The update procedure is not selective. It will pull in the complete current translations for all available languages, each time it is performed.

In the past, when we had an active software development group, most of their patch requests would be accompanied by a request to synchronize the webdb server with the translations server, so new translations were pulled in fairly regularly. Unfortunately, there haven't been any software patch requests since August 2015. (Wy)

For translation of CATS, see #Education.

There is no translation team, but a group of translators in the time. Even most translators stopped to translate for their language, there is still some activity - a little bit more than in tha last year. While logging in the pootle server in beginning of october 2018, the last acitvity was reported as follows:

The main text (Cacert) is completely translated in the following languages: Spanish, German, French, Dutch, Czech and Italian (+1 language). Portugese (Brazil) needs 16% (-2%) to be finished.

There was activity in the following languages: Arab (7%), German (100%), Icelandic (11%), French (100%), Catalan (33%), Italian (100%), Hungrian (47%), Lingala (6%) and Danish (25%). Languages with a good start are swedish (64%) and hungarian (47%). In another 29 languages, between 1% and 37% where translated two, three, four years ago or even before. Hungarian would be a higher score, if a hungarian CAcert volunteer would move the translations done, but uploaded into another language (LN) to Hungarian.

Of course, translate everything is an enormous work, but following the indications at Translations/WhatFirst, it is a good thing to be involved in the community for people with no programming skills and not having the possibility to work with others, as they are alone in their region or due for some reasons, they can only do some work on irregular base. If CAcert will have a future, it needs to be localised, as "normal people" prefers access in their own language.

For more details, please check the synoptic overview in the middle od the page at Brain/Study/Translations. It is from 2014, but since there were not significant changes. (Ru)

Finance Team

No progess in accessing Westpac-Account in FY 2017/2018. (As)