CAcert Code Development list.

[Gero Treuner <gero-cacert AT innocircle.com>]

Hi all,

This is a followup to a discussion on yesterday's board meeting turning
into technical details, therefore prefered to be continued here.

The background is that previous solutions to ease generating keys, CSR
and installing certificates don't work anymore, because support in
browsers is discontinued. The HTML element <keygen> is dropped from the
standard without a real replacement.

So what do we need (debatable ;-) ?

 * Solutions are portable (Windows, macOS, POSIX, BSD, mobile platforms)
 * Not requiring installers
 * Easy to use interface
 * Utilizing existing crypto tools and libraries (not reinventing the
   wheel, IMO a no go in the security area)


Topic: Interface

Proposal:
Always provide a command-line version, and if possible a GUI as
extension (if not on smartphone where it must be an app anyway).

Proposal:
For technical options use safe standard setting and hide them, to best
support non-IT-oriented people. Make options available by advanced
settings, expert mode etc.

For comparison you can have a look at the XCA tool. This certainly is
locked to advanced mode, but can serve as an example for studying what
is good or bad. https://hohnstaedt.de/xca/


Topic: Workflows

- Import CAcert roots into system
- Import CAcert roots into browser
- Create keys for email and get a CAcert certificate (via CSR, web
  service request)
- update certificate for existing key

Please discuss where we see highest priority. Input from CAcert support
is highly welcime ;-)


Topic: Crypto Tools

Almost each platform brings tool(s) which are suitable for generating
keys/CSR . On windows it is certutil.exe/certreq.exe, on others often
openssl . If we decide for bringing our own (to build on a common
ground) gpgsm might also be an option.


Sorry for raising a lot of general topics. But I see the need to clarify
where we want to go first, so that all volunteers can work hand in hand.


Gero