Downtime and new beginnings at CAcert
Change is underway at the CAcert, the community certification authority. The certification service will be offline temporarily at the end of September because critical servers are moving from Austria to Holland,. The project is also suffering from a shortage of manpower.
The idea behind CAcert is simple: instead of having to rely on expensive certification service providers like Verisign, CAcert wants to make security available to those on a limited budget. The SSL certificates are certified by the community itself, with volunteer 'assurers' vouching for the correctness of the information contained in the free server certificates. However, the organisation has been struggling to implement its aims. Some five years after the official formation of CAcert, none of the popular browsers has yet integrated the root certificate of the CAcert Certificate Authority CA into its basic installation. Only a few open source projects trust the free certificates without any additional certification.
To make itself more attractive to the mass-market products, the organisation is currently undergoing an involved audit process designed to confirm that content signed by CAcert is indeed trustworthy. This will require, amongst other things, an improved infrastructure. As explained in the latest status report, the servers in Vienna were not capable of satisfying the requirements of the audit. The services will therefore be relocated at the end of the month to a computer centre in Holland which is already home to some of the project's other servers.
None of the people in charge of the project is prepared to state exactly when the downtime will occur and how long it will last. According to the terse announcement: "It will last as long as it lasts." When pressed, Philipp Gühring, the person responsible for software development and system administration, said he was confident that the downtime would not exceed 48 hours. Gühring said "The move will have no effect on the security of SSL. Although we will not be able to issue new certificates during this time, certificate users are automatically given 45 days notice of the expiry of their certificates - so a short period of downtime will not result in an interruption to the service." After the move, CAcert intends to issue a new root certificate that more effectively satisfies the requirements of the audit. The old certificates will retain their validity for the time being.
The latest Community report is not without its criticism of the work of CAcert. It says, for example, "CAcert has had two years to prepare the critical systems, and has not. It has had over a year in the current situation, and not done the migration." The report also mentions a critical security bug. Although it was fixed within twelve hours, this shows that the software development team still has a lot of work to do.
In an interview with heise online, Gühring was confident that the project's new team would soon be able to make improvements. "We continue to work on improvements and have already achieved much. But we are having to devote a good deal of our energies to the audit, because its requirements are so stringent. CAcert is keen to recruit volunteers prepared to invest the necessary time and commitment in the project."