This page is a list of tasks that relate to enhancements to CAcert's current infrastructure.
Testsystem Image
We currently have a single testsystem on the internet: https://www.test1.cacert.at/ The sourcecode of the website is available on http://www.cacert.org/src-lic.php but it's very hard to setup into a working environment. We would like to have a VirtualBox/Qemu/VMWare image which includes a whole testsystem, so that every developer can easily setup a testsystem on his own machine, and that the developers don't interfere with each other.
Customer Representatives
- Working on it:
Requirements
Requirement ID |
Description |
proposer |
A small proposal exists discussion on cacert-devel list https://lists.cacert.org/wws/arc/cacert-devel/2009-03/msg00019.html.
Fuzzers for OpenPGP and X.509
We could need fuzzers and/or collections of OpenPGP keys (to be signed), CSRs and X.509 certs, to automatically test our test-system against them.
Contact for this task: philipp@cacert.org
- Working on it:
Bugs.cacert.org
Requirements
All public CAcert services should support X509 authentication / registration either directly or via OpenID or similar technologies.
Contact for this task: daniel@cacert.org
- Working on it: none
- Comments:
- Rely on mod_ssl to set variables like SSL_CLIENT_S_DN which can be compared to user email in mantis. User signup form should drop email field and pick it up from here instead, so users can sign up automatically using certs too. Should be trivial code changes. (samj)
- Needed Code-changes should go into the official packages
Ok so it seems the path of least resistance for us wrt solving many of the interoperability problems and 'eating our own dogfood' is to use gnutls with apache (rather than mod_ssl) and hack cacert.org, mediawiki, wordpress, etc. to consult the SSL_CLIENT_S_AN% variable(s) for any prefixed with "RFC822NAME:" (or perhaps for simplicity just use SSL_CLIENT_S_AN0): http://www.outoforder.cc/projects/apache/mod_gnutls/docs/#environment-variables (samj)
mod_ssl seems to have variables too http://httpd.apache.org/docs/2.0/mod/mod_ssl.html. http://trac.roundcube.net/ticket/1485224 contains a implementation for another service. I guess here we would just say "you've presented this certificate - complete registration with xxx email address?"
- Actually once the cert is presented you can force them through registration without bothering them with probes etc. This is one of the big advantages of certificates (and OpenID). On the other hand people should still be able to /view/ the bugs without having to jump through hoops.
Unicode
CAcert wants to migrate to Unicode. Please join UnicodeTaskForce if you are experienced with Unicode.
- Comments:
- New systems should be unicode friendly.
IPv6
CAcert wants to offer it's services on both IPv4 and IPv6.
Contact for this task: philipp@cacert.org
- Working on it:
- Comments:
- Most recent distros/packages have IPv6 support that just needs to be enabled. Agreed this is a noble cause. (samj)
- And how would that change the DNS records in the cacert.org zone?
- Our software needs to talk IPv6 before we do anything like that (samj)
- And how would that change the DNS records in the cacert.org zone?
For more information : IPv6
- Most recent distros/packages have IPv6 support that just needs to be enabled. Agreed this is a noble cause. (samj)
Random Sources
Crypto stuff needs random sources. Though hardware support is occasionally supported Havege is a cool project too.
Havege should be maintained, improved, packaged and if possible included into mainstream kernels: http://www.irisa.fr/caps/projects/hipsor/
Contact for this task: philipp@cacert.org
- Working on it:
proposal : using havege lib with randomsound or getting ideas from randomsound to feed /dev/random