<> = Preamble = == Background == CAcert uses roots as described at [[FAQ/TechnicalQuestions#Structure_of_Roots|Structure of Roots]] and many other places. Because the existing roots have been deemed to be ''[[Audit/CommunityReport20080902|Audit Fail]]'', we have to create new ones that are capable of passing a future audit. Also, this project has taken on more urgency because of the deprecation of MD5 and the general weakening of the roots over time. == Authority == The Board authorises creation of roots and subroots from time to time. The procedures are authorised under [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#9.2|DRAFT Security Policy]] and are indexed into the [[SecurityManual#RootKeyManagement|Security Manual]]. Also see the [[http://www.cacert.org/policy/CertificationPracticeStatement.php|wip DRAFT]]. = Process = Discussion on the project is at [[https://lists.cacert.org/wws/info/cacert-policy|cacert-policy maillist]]. You can [[https://lists.cacert.org/wws/subscribe/cacert-policy|subscribe here]] and [[https://lists.cacert.org/wws/arc/cacert-policy|read the archives]]. This wiki page is freely editable. Add tasks where needed. Add questions if needed. = Tasks = || Task || Responsibility || References || Status || || Re-sign class 3 || Critical Team Leader || [[Roots/Class3ResignProcedure|Re-sign Procedure]] || procedure written and tested, authorised as [[https://community.cacert.org/board/motions.php?motion=m20110515.2|m20110515.2]] || || PR for Class 3 Re-sign || Community || [[https://community.cacert.org/board/motions.php?motion=m20110515.3|m20110515.3]] || || || [[Roots/EscrowAndRecovery|Escrow and Recovery]] || Board || [[Roots/EscrowAndRecovery]] || [[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100306|board meeting 20100306]]<
>[[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20100321|board meeting 20100321]]<
>[[Brain/CAcertInc/Committee/MeetingAgendasAndMinutes/20130310|board meeting 20130310 ff.]] || || [[Roots/Structure||root structure]] correct? || Policy Group || [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] [[https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00001.html|discuss]] || under review 20090305 || || [[Roots/Contents||root certificate format]] correct? || Policy Group with Technical Input || [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] [[https://lists.cacert.org/wws/arc/cacert-root/2010-03/msg00001.html|discuss]] || under review 20090305|| || [[http://svn.cacert.org/CAcert/Policies/SecurityPolicy.html#9.2|security policy]] correct? || Policy Group || || || || [[SecurityManual#RootKeyManagement|security manual]] correct? || critical systems administration team leader|| || || || [[http://www.cacert.org/policy/CertificationPracticeStatement.php|CPS]] correct? || Policy Group || || CPS to DRAFT [[PolicyDecisions#p20090706|p20090706]] <
>CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets [[PolicyDecisions#p20091108|p20091108]] <
>CPS #7.1.2 "Certificate Extensions" adjustments [[PolicyDecisions#p20111113|p20111113]] || || Software Changes (todo break into detail) || software team || || waiting on root structure/format definition || || New Root Creation || critical team || [[Roots/CreationCeremony|ceremony for creation of root(s)]] [[Roots/TechScript|tech stuff]] || waiting on confirmation of root structure/content || || New Root testing || anyone || [[Roots/TestNewRootCerts]] || waiting on Root Creation || || Early Root Distribution || DanielBlack || linux distros || waiting on Root Creation || || New Root deployment || critical team + assistance || fill in details [[Roots/RolloutProcedure|rollout procedure]] || dry run being conducted with [[Roots/Class3ResignProcedure/Migration|Class 3 Re-Sign Project]] || || Blogs / Press releases etc || || as above || dry run being conducted with [[Roots/Class3ResignProcedure/Migration|Class 3 Re-Sign Project]] || || Decommision Old roots || critical team || || || = Unresolved Issues / Documentation Task List = These need to be addressed with written procedures: * Creation of an offine root escrow method at [[Roots/EscrowAndRecovery]] * [[Roots/CompromiseStrategy]] should be reviewed. * Creation of sub-roots for different CAcert functions: * Web of Trust (eg CAP) * Remote Assurance (eg RAP) * Organisation Assurance (eg OAP) (from which our organisations get their certs) * [[Roots/OrganisationSubRoots|Creation of sub-roots for assured organisations]] (from which organisations can issue certificates from their own sub-root) * Revocation process. * Future requirements may include [[Roots/HSM]]. = Questions = || Question || by || Answer/Opinion || by || || || || || || == Planning == 1. Verify new roots are technical designed right 1. Verify governance framework (CPS, SP, SM) are good 1. Develop software changes 1. Plan deployment = Historical = == Timeline == Most recent at top. * [[https://community.cacert.org/board/motions.php?motion=m20100117.3|m20100117.3]]: . ''RESOLVED, that the existing root may not be used to sign any new sub-roots, and that the board receive reports from affected teams with a view to the issuing of a new offline root with multiple sub-roots.'' * An opportunity for using [[HAR2009]] was suggested but did not work out. * [[Roots/20081128]] resulted in the creation of Top-level root and 2 subroots (Member & Assured). However the follow-up phases did not complete. * A meeting at or around 20081002 worked through the software and shook out bugs. * Planning for the new roots started around mid 2008, as part of the "May Plan." * At Top 2007, auditor announced that the old roots had to be replaced. = References = * [[Roots/Library]] lists the deeper references: policies and old decisions: * [[http://www.cacert.at/cgi-bin/rngresults/|PG's CAcert Research Lab: Random Number Generator Results]] ---- . [[Roots/StateOverview|Roots States Overview]] . CategoryAudit . CategoryNewRootsTaskForce