Preamble

Background

CAcert uses roots as described at Structure of Roots and many other places. Because the existing roots have been deemed to be Audit Fail, we have to create new ones that are capable of passing a future audit. Also, this project has taken on more urgency because of the deprecation of MD5 and the general weakening of the roots over time.

Authority

The Board authorises creation of roots and subroots from time to time. The procedures are authorised under DRAFT Security Policy and are indexed into the Security Manual. Also see the wip DRAFT.

Process

Discussion on the project is at cacert-policy maillist. You can subscribe here and read the archives.

This wiki page is freely editable. Add tasks where needed. Add questions if needed.

Tasks

Task	Responsibility	References	Status
Re-sign class 3	Critical Team Leader	Re-sign Procedure	procedure written and tested, authorised as m20110515.2
PR for Class 3 Re-sign	Community	m20110515.3
Escrow and Recovery	Board	Roots/EscrowAndRecovery	board meeting 20100306 board meeting 20100321 board meeting 20130310 ff.
Roots/Structure correct?	Policy Group	CPS discuss	under review 20090305
Roots/Contents correct?	Policy Group with Technical Input	CPS discuss	under review 20090305
security policy correct?	Policy Group
security manual correct?	critical systems administration team leader
CPS correct?	Policy Group		CPS to DRAFT p20090706 CPS to drop assurer critieria and allow IDN certificates in specified TLD or single script character sets p20091108 CPS #7.1.2 "Certificate Extensions" adjustments p20111113
Software Changes (todo break into detail)	software team		waiting on root structure/format definition
New Root Creation	critical team	ceremony for creation of root(s) tech stuff	waiting on confirmation of root structure/content
New Root testing	anyone	Roots/TestNewRootCerts	waiting on Root Creation
Early Root Distribution	DanielBlack	linux distros	waiting on Root Creation
New Root deployment	critical team + assistance	fill in details rollout procedure	dry run being conducted with Class 3 Re-Sign Project
Blogs / Press releases etc		as above	dry run being conducted with Class 3 Re-Sign Project
Decommision Old roots	critical team

Unresolved Issues / Documentation Task List

These need to be addressed with written procedures:

Creation of an offine root escrow method at Roots/EscrowAndRecovery
- Roots/CompromiseStrategy should be reviewed.
Creation of sub-roots for different CAcert functions:
- Web of Trust (eg CAP)
- Remote Assurance (eg RAP)
- Organisation Assurance (eg OAP) (from which our organisations get their certs)
Creation of sub-roots for assured organisations (from which organisations can issue certificates from their own sub-root)
Revocation process.
Future requirements may include Roots/HSM.

Questions

Question

by

Answer/Opinion

by

Planning

Verify new roots are technical designed right
Verify governance framework (CPS, SP, SM) are good
Develop software changes
Plan deployment

Historical

Timeline

Most recent at top.

m20100117.3:
- RESOLVED, that the existing root may not be used to sign any new sub-roots, and that the board receive reports from affected teams with a view to the issuing of a new offline root with multiple sub-roots.
An opportunity for using HAR2009 was suggested but did not work out.
Roots/20081128 resulted in the creation of Top-level root and 2 subroots (Member & Assured). However the follow-up phases did not complete.
A meeting at or around 20081002 worked through the software and shook out bugs.
Planning for the new roots started around mid 2008, as part of the "May Plan."
At Top 2007, auditor announced that the old roots had to be replaced.

References

Roots/Library lists the deeper references: policies and old decisions:
PG's CAcert Research Lab: Random Number Generator Results

Question	by	Answer/Opinion	by