CAcert Code Development list.

[Bernhard Fröhlich <bernhard AT cacert.org>]

Hello Frédéric, hi Brian,

I forgot the third member in today's conference, feel free to forward this mail as needed.

The ACME interface we talked about has its own WiKi page at https://wiki.cacert.org/Software/Projects/Bug%231464: ACME protocol

I would indeed consider this interface as a useful project to be implemented for several reasons:

• It would allow out users to use existing ACME clients for certificate creation/renewal, which may take off some urgency from the requirement for certificate creation in the browser.
• Using those ACME client would make re-issuing of certificates much more comfortable for our users
• The interface may be used to implement new and interesting features, like automatic S/MIME certificate requests.
  
• Offering this interface may put CAcert in a position as a backup solution, just in case let's encrypt "really fucks up its job". Or as an alternative for people who would not like to trust Google if they don't absolutely need to.
• It is a project which is comperatively small and well understood, so it may be easy to "sell" it for a grant.See below.

Since you already told me that sich things are needed to apply for a grant, this may be a quick project plan:

1. Detailed research and creation of a detailed implementation concept: 1 week
2. Implementing the interface to a "proof of concept" level: 1-2 weeks
3. Implementing needed extensions to the CAcert website for personal and organisation accounts: 1 week
4. Implementing the interface to a "productive" state for issuing server certificates : 1-2 weeks
5. Generic tests  with "primary" client implementation: 1 week
   
6. Interoperability tests with 1-5 additional clients: 1-2 weeks
7. Code review and other project management work: 1-2 weeks
8. Optional extension: Issuing of S/MIME certificates using the interface, which probably means implementing a client software: ~6-10 weeks, depending on research results

This guess assumes "a week" as 40 person hours of work, and it assumes that the persons in question are already somewhat aquainted with using tools like OpenSSL to manipulate certificates. The guess about the needed work may be on the lower side of real efforts, so if possible/opportune you should request 50% more.

Of course the time frame depends very much on how much manpower can be assigned to the project. I'd consider 7-11 weeks as a realistic timeframe plus the formally needed second review and installation on the production system if one full-time developer and 12.5% (1 hour/day) of a senior developer, ideally a CAcert software assessor, are assigned to the project.

    I hope this helps, kind regards
    Ted

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature