== Welcome to New Root Certificate Task Force ==

=== Announcement ===

 * We are pleased to announce that we have set-up the CAcert test systems with samples of '''CAcert new root certificate''' model.

 * We need '''volunteers''' to create client/server certificates and put them on test webservers or send signed emails. 

 * So we can get some '''feed back''' and make some changes before we do the '''real''' ceremony of issuing the new CAcert root certificates ''that are likely to be included in Mozilla Firefox / Thunderbird''.

=== Procedure ===

 * The test1.cacert.at system is TEST only and completely separate from the main www.cacert.org, so you need to create new accounts and add domains & emails.

 * Please create 2 accounts and ask '''support (at) cacert.org''' to add ''trust points'' in one of your CAcert TEST accounts. So, with 2 accounts, you can create both ''Assured'' and ''non-Assured'' certificates. Life time of the client certs may change from www.cacert.org

 * If you want to do email signing & ciphering tests, you can ask guillaume (at) cacert.org for example!

=== Details ===

 * As part of the [[Roots/NewRootsTaskForce|New Roots project]] we would like '''YOU!''' to test the next generation of CAcert root certificates.

 * The cert chains are composed of: 
  * the '''CAcert Root''' certificate + the '''CAcert Community Member''' subroot cert (formely known as ''class1'')
  * the '''CAcert Root''' certificate + the '''CAcert Community Assured Member''' subroot cert (formely known as ''class3'')

 * The certificates are loaded on http://www.test1.cacert.at so ''feel free to register an account and create certificates''.

 * In case we need to modify the root certs, we will issue new ones and so you could test them again (please!).

 * Please, the root/subroot names start with "TEST" (it will be removed for the real ceremony)

 * We want to '''verify''' that the whole chain of root + subroot + client certs is working fine. 

 * The lifetime of the client certs may change from www.cacert.org system 


|| Certificate update ||  cert issuing date || still in use on test1 ||
|| root + Community Member subroot + Community Assured Member subroot || Oct 25th 2008 || no ||
|| root + Community Member subroot + Community Assured Member subroot || Oct 26th 2008 || yes ||

=== Test Plan ===

''Improve this...''

 * The signed certificates will be tested for acceptance by different browsers (Mozilla, Internet Explorer, Opera, Safari, etc.) and key managers.

=== Download the certificates ===

Here are the current root certificates :

|| Certificate || download into browser || read the details ||
|| Root certificate  || [[http://www.test1.cacert.at/TESTCERTS/rootCA.crt | PEM Format ]] || [[http://www.test1.cacert.at/TESTCERTS/rootCA.txt | TXT Format ]] ||
|| Community Member subroot ||   [[http://www.test1.cacert.at/TESTCERTS/intermCA.crt| PEM Format]]  ||   [[http://www.test1.cacert.at/TESTCERTS/intermCA.txt| TXT Format]]   ||
|| Community Assured Member subroot ||  [[http://www.test1.cacert.at/TESTCERTS/intermCA3.crt| PEM Format]]   ||    [[http://www.test1.cacert.at/TESTCERTS/intermCA3.txt| TXT Format ]]  ||

 * [[http://www.test1.cacert.at/TESTCERTS/id.p12| pkcs12 format test client certificate]] : password is "cacert", the root/subroot are included, you need to validate the root cert in the keystore first.

=== Contact ===

 * Please report comments on the usual support lists as well as support (at) cacert.org and mention "Test System" in the title.

 * You may find issues on the TEST system, please report the problems and mention it is about "TEST System", so we can fix them. 

 * You can put a comment in the "Comments" page below.


== Code source for review ==

 * Please if you feel skilled enough, you may help reviewing this part of the root cert Ceremony script

 * How to run :

  * Step 1 : there is a genKeys.sh script to generate the root keys with OpenSSL in "keys" directory (optional).

  * Step 2 : the project is a Java Eclipse project. You have to run the org.cacert.ceremony.Ceremony class and fetch the certs in "signingengine", a sample pkcs12 file is provided for testing purpose. It includes the whole chain (CAcert Assured Members subroot). Look at readme.txt for some details.

 * [[http://svn.cacert.org/CAcert/Software|beta code here for CAcertCeremonyScript review]] Last update : '''Sat November 14th 2008'''

 * TODO :
  * add a ANT script to automate genKeys.sh + org.cacert.ceremony.Ceremony
  * do some more testing : today only the '''CAcert Root''' certificate + the '''CAcert Community Assured Member''' subroot cert test has been automated.
  * writing down all the ceremony (text file!)
  * far much more comments in the code !

 * please if you have a patch, send a copy to support (at) cacert.org, thanks !

== Comments about the test systems ==

 * The production system and the testsystem are completely seperated systems. 

 * The testsystem started with an empty database, so every account has to be freshly created.

 * The testsystem does not know anything about the contents of the production database.

 * The testsystem only has a copy of the country-region-location-database from the production system

 * The automated data and software-transfer is always from the production system to the testsystem, never into the other direction.

 * link for LostPassword https://www.test1.cacert.at/index.php?id=5

== Points to discuss ==

 * The passwords for the RSA keys are 32 bytes longs (256 bits), we set the value because the cipher is AES256. Is it the proper size ? => it seems correct.

 *  We need to generate a revocation files of the subroots. => to investigate further => tried to generate CRL but no reply so far

 * We need to make sure we can do certificate login. background idea : how to configure it + is there any problem in case we keep the old Root cert for "class1" and audit the new "CAcert Assured Member" subroot

 * Can OCSP current URL can handle both old Root cert issued certificates and the new Root/Subroot cert issued certs ?

 * ... more 


== Random generators ==

 * under testing :
  * /dev/random (keyboard + mouse)
  * /dev/random + turbid (sound card)
  * havege (randomness from cpu internals) but no /dev/hrandom possible on recent systems (or we could mix havege libs with randomsound lightweight project)
  * /dev/random + randomsound (sound card)
 * some draft datas : DevRandomTest
  
== Alternate technologies ==

 * [[http://www.bouncycastle.org/java.html|BouncyCastle]]
 * [[http://www.mozilla.org/projects/security/pki/jss/|JSS]]


== User comments ==

<<Include(Roots/TestNewRootCerts/Comments)>>

----

add a comment : [[Roots/TestNewRootCerts/Comments]]


----
 . CategoryAudit
 . CategoryNewRootsTaskForce