CAcert Elephant problem - the known problems, enlarged version; with Jan's opinions, my notes, and one possible solution for (1). --------------------------------------------------------------------------------------------------------------------------------- 1. Every community member should be able to enter a bug report to bugs.cacert.org as a contributor. Jan: "Write access to bugs.cacert.org is limited due to excessive SPAM. We still get some obvious spammer registrations every week. How could we identify legitimate users and who could approve them?" My suggestion: A contributor will be every member of CAcert community identifying him/herself as sch with a valid client certificate issued by CAcert. Jan's opinion: "Client certificate authentication or OpenID Connect might work. For both Mantis would need some kind of automatic sign-up and permission setup that will be restricted to oneof these mechanisms. ... I think some PHP developer has to spend time to implement this." 2. It should be possible to give write access to Wiki for some members, e.g. the Board members. Jan: "Wiki access is still regulated by (as far as I know) inactive community members. An attempt from my side to get this unblocked a while ago has failed. We have no tooling to unlock this situation. The almost unsupported code base of moinmoin doesn't help with this and a migration to any other solution would require a massive effort." 3. Inform the Community about mews in time; where applicable, add deadlines. Jan: "Who? Where should probable deadlines come from?" I would restrict it to the cases when a deadline is known. 4. Inform the Community permanently about the Essentials at least by links from www.cacert.org homepage to the Wiki. Jan: "As it is now this will require changes by the software team + approval by QA + rollout by critical. No easy task due to lack of manpower." 5. Blog entry from 20231004 does not contain an info about OCSP, should be also "reduced service" as, reportedly, the Signer stopped to make CRLs. In fact, if so, then no certificate issued by CAcert is trustworthy, as there is no fresh info about revoking. Jan: "Who?" I guess it should be the person who wroted the blog. 6. A HW problem: a server(s) does not have a proper SSDs. Jan: "That is a hard issue for infra02, infra03 and the webdb1 machines. The hardware needs budget, purchase and visit(s) to the data center. For infra I propose to replace both of the aging machines with a new machine (see team report for the AGM)." 7. A SW problem: the queue for certificates to be signing with Class 1 Root stucks. Jan: "That is a combination of a software problem (probably) and a hardware failure on webdb1 that Dirk could not fix during his last visit. Having no Internet access during the recent weeks didn't make things easier. Currently we cannot issue any certificates." 8. A problem to change CPS: First intension probably is to eliminate issuing by Class 1 Root. Second, to do better (more up-to-date) certs contents (possibly both Class 3 Root, and users' ones. Jan: "Progress on that front has been started in Nextcloud last year. I proposed a new structure for our certificate chains. It will require a lot of work on the software team (that is effectively non-existant for the last few years), approvals and QA/testing and a rollout plan + communication. Kim started the communication to rewrite the CPS and we have a Git repository for the work now, but the software part still needs people to implement any proposed change." I have tried to find some problematic parts of the CPS, I sent it to Kim. 9. The problem in a SW procedure makes it impossible to delete accounts of such users, who have at least one certificate issued. The reason is probably found, no repair is done. 10. An improper initialization of some fields makes it impossible to create an account, if anyone's Email address was already used in a previous (unsuccessful) try. That should be corrected before CAcert's restart.