CAcert Code Development list.

[Mathieu Simon <mathieu.simon AT simweb.ch>]

Hi

Faramir schrieb:
>   When I create a certificate, it is created in my browser, CAcert never
> touches my private keys, and yet, CAcert can sign my certificate, or
> revoke it if needed. If I understood it right, what Mathieu need, is to
> be able to receive the CSR from the end user, and submit it to CAcert in
> order to get it signed. 
Exactly :-)
> So if the site allows him to paste the CSR, instead of generating it in the browser, 
> that would solve the problem. Of course, it would need a patch...
>   
Well, I tried to do another modification. This time in the way of a patch.
For those who prefer to read the full proposal it's also included in the 
mail.

As I said in the beginning: Neither my PHP nor HTML experience is great
I try to do something I bring experience with me from other languages 
I'm used to.

I therefore kindly ask the other developers to give a look at the code 
of a "newb"
and give feedback / criticize it in order to improve quality and fix the 
bugs I
may have introduced.
>   The Org would still be the one responsible, they would just not touch
> the private key, but all other things would remain the same.
>   
And for protection of all, Org Admins and Organisation had to accept  
CAcert organisation
policy and therefore they have accepted to follow CAcert arbitration if 
something happens.

Best regards
Mathieu

Attachment: 16.php
Description: application/httpd-php

diff --git cacert/pages/account/16.php cacert/pages/account/16.php
index 3e582e3..a87c057 100644
--- cacert/pages/account/16.php
+++ cacert/pages/account/16.php
@@ -14,13 +14,46 @@
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+    Contributions made by members of the CAcert.org community
+	* Mathieu Simon
 */
 	include_once("../includes/shutdown.php");
 ?>
+
+<h3><?=_("CAcert Certficate Acceptable Use Policy")?></h3>
+<p><?=_("Once you decide to subscribe for an SSL Server Certificate you will need to complete this agreement. Please read it carefully. Your Certificate Request can only be processed with your acceptance and understanding of this agreement.")?></p>
+
+<p><?=_("I hereby represent that I am fully authorized by the owner of the information contained in the CSR sent to CAcert Inc. to apply for an Digital Certificate for secure and authenticated electronic transactions. I understand that a digital certificate serves to identify the Subscriber for the purposes of electronic communication and that the management of the private keys associated with such certificates is the responsibility of the subscriber's technical staff and/or contractors.")?></p>
+
+<p><?=_("CAcert Inc.'s public certification services are governed by a CPS as amended from time to time which is incorporated into this Agreement by reference. The Subscriber will use the SSL Server Certificate in accordance with CAcert Inc.'s CPS and supporting documentation published at")?> <a href="http://www.cacert.org/policy/";>http://www.cacert.org/policy/</a></p>
+
+<p><?=_("If the Subscriber's name and/or domain name registration change the subscriber will immediately inform CAcert Inc. who shall revoke the digital certificate. When the Digital Certificate expires or is revoked the company will permanently remove the certificate from the server on which it is installed and will not use it for any purpose thereafter. The person responsible for key management and security is fully authorized to install and utilize the certificate to represent this organization's electronic presence.")?></p>
+
+<h4><?=_("Reminder for Organisation Administrators")?></h4>
+<p><?=_("Organisation Assurance is still in early stages - as organisation administrator you are the bridge between your Organisation and CAcert. You are also in between CAcert's policies and local data protection acts. The community is trying to solve the issues to make life easier for you - until then: Stay informed on your local law and know your rights both at CAcert policy and local DPA.")?></p>
+
+<p><?=_("Inform yourself on how local DPA may be affecting the way, if you as Org-Admin or the requesting person have to generate private keys or not - if so, you only need a CSR from your requestor. Some may also have a paper reglementing who has to do backups of keypairs.")?></p>
+
+<h4><?=_("At last")?></h4>
+<p><?=_("Please don't send in a signing request for your organisation if you have doubt's about it's credibility. In case e.g. you are being forced  by your organisation to request an abusive certificate or if you have serious doubts unresolvable with your Organisation: File an arbitration! Your organisation has also signed the Organisation Assurance Policy and has to follow CAcert arbitration as well.")?></p>
+
+<h4><?=_("Method A: Paste a CSR")?></h4>
+<form method="post" action="account.php">
+<input type="radio" name="rootcert" value="1"> <?=_("Sign by class 1 root certificate")?><br>
+<input type="radio" name="rootcert" value="2" checked> <?=_("Sign by class 3 root certificate")?><br>
+<p><?=_("Please note: The class 3 root certificate needs to be imported into your email program as well as the class 1 root certificate so your email program can build a full trust path chain. Until we are included in browsers this might not be a desirable option for most people")?></p>
+<p><?=_("Paste your CSR below...")?></p>
+<textarea name="CSR" cols="80" rows="15"></textarea><br>
+<input type="submit" name="process" value="<?=_("Submit")?>">
+<input type="hidden" name="oldid" value="<?=$id?>">
+</form>
+
+<h4><?=_("Method B: Let your browser generate the key")?></h4>
 <form method="post" action="account.php">
-<table align="center" valign="middle" border="0" cellspacing="0" cellpadding="0" class="wrapper">
+<table align="left" valign="left" border="0" cellspacing="0" cellpadding="0" class="wrapper">
   <tr>
-    <td colspan="2" class="title"><?=_("New Client Certificate")?></td>
+    <td colspan="2" class="title"><?=_("New Organisation Client Certificate")?></td>
   </tr>
   <tr>
     <td class="DataTD"><?=_("Add")?></td>
diff --git cacert/www/coapnew.php cacert/www/coapnew.php
index 301d5c2..2bae4a5 100644
--- cacert/www/coapnew.php
+++ cacert/www/coapnew.php
@@ -39,6 +39,7 @@ define('REV', '$Revision: 1.2 $');
 **         Add free embedding zapfdingbat font
 **         ttf2pt1 -F zapfdinbats.ttf -> zapfdingbats.utf metrics file
 **         php -q makefont.php zapfsdingbats.ttf zapfdingbats.utf -> .php,.ctg.z,.z
+**     php.ini Allow at least 32MB for TCPDF usage otherwise not enough memory.
 **         install files: zapfdingbats.{php,z,ctg.z} in tcpdf/fonts dir
 **     UTF8 package for unicode (utf8/native/core.php):
 **         utf8_substr() only when package is found and needs to be used
@@ -230,7 +231,7 @@ define( 'TEST', true );
 // INSTALLATION DIRS OF PACKAGES ==============================
 // make sure packages are installed here
 define('RT','./');
-define('TCPDF_DIR','/usr/share/tcpdf_php4');
+define('TCPDF_DIR','/usr/share/tcpdf');
 define('UTF8',RT."/utf8/native/core.php");
 if( file_exists(RT.'/transtab.php') ) // wherever it is
     define('UTF8_ASCII', RT.'/transtab.php');
diff --git cacert/www/logos/CAcert-logo-colour-1000.png cacert/www/logos/CAcert-logo-colour-1000.png
new file mode 100644
index 0000000..a6dd6ac
Binary files /dev/null and cacert/www/logos/CAcert-logo-colour-1000.png differ

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature