A better approach to security

[Frédéric Grither <frederic.grither AT cacert.org>]

Dear friend and member of Cacert,

 

We will soon be holding our annual general meeting on September 28th, which is earlier than usual.

 

The Board of Directors has been working since the beginning of the year to present the choice of closing down or going on with Cacert's activities to its members.

 

It is important that the community and the members of Cacert inc. be asked to choose on this issue in a open and friendly manner.

 

We came up with an easy-to-read document that brings together everyone's opinions.

Thanks to this document below, you will have most of the information you need to make your decision as member of the community.

 

Best regards,

 

Frédéric Grither

The Treasurer

CAcert Inc.

Clos Belmont 2

1208 Geneva

Switzerland

 

Donations IBAN CH02 0077 4010 3947 4420 0

 

====== start document ======

 

On 2 February 2024, the members of the CAcert committee have decided to call a Community meeting, at which all members of the association will be asked to vote on whether CAcert should close down or not. A list of reasons for continuing or terminating the association may be attached to the notice of the meeting. Here they are.

 

So that you can make an informed decision on the dissolution of CAcert Inc, it's important to remind you how CAcert is organised. Simply put, there are two bodies:

• Firstly, the members of the community (everyone who has opened an account). Together they form the community, called CAcert or CAcert Community or CAcert.org. As the community has no legal personality, an association (CAcert Inc, association) was founded for its operation. These three (each individual member of the Community, CAcert and CAcert Inc) have joined forces with the CAcert Community Agreement. This ‘marriage’ can only be dissolved as provided for in the CAcert Community Agreement ‘marriage contract’. To make things even more complicated, CAcert Inc, as an association under Swiss law, is a legal entity but consists of a group of natural persons, the association members (also Inc members).
• The second is the government, which, as in any modern constitutional state, recognises the separation of powers: the executive (the CAcert Inc Committee), elected by the association members, is responsible for operations. Fundamental decisions such as policies are discussed and decided by the legislative, policy group consisting of ad hoc members from the community who have signed up. Disputes are settled by the judiciary (arbitration).

 

Main key figures:

CAcert Community Agreement is > 300 000 people. 2125 certificates generated in 2023

CAcert Inc is theorytically 24 people, ~10 active people

Committee is theorytically 7 people, 6 active people (lack of candidates for the 7th seat)

Policy Group is dormant at present because there are no current policy changes.

Arbitration is theorytically 9 people. Arbitrators are no longer called upon or proactive.

 

Pros and Cons

Facts in favour of staying in business

Facts relating to the fulfilment of CAcert's historical mission

• CAcert's financial accounts are in the black, i.e. positive; thanks to the massive email to our members and users, an initiative led by Etienne Ruedin, the Secretary, in 2019. CAcert was funded in time with enough money to allow it to continue operating in the coming years. This fact proves the existence of a community at this time.
• CAcert members and ordinary users of its services have been kept up to date with the latest news from the association via its continually updated blog, thanks to the involvement of Etienne.
• CAcert users are still receiving first-level answers to their technical questions, thanks to the involvement of Aleš Kastner. AND MANY OTHERS ON THE LIST
• The online services infrastructure has always been maintained and, where possible, some operating systems and applications have been migrated to newer versions, thanks to the involvement of Jan Dittberner.
• The most serious hardware and software failures of CAcert's main web application have always been fixed, including by physical repeated interventions on site at our data centre in Ede, thanks to the commitment of Dirk Astrath. AND OTHERS
• Among members who are still active, half of them have proven proficiency in systems administration and software development; for example, thanks to the expertise of Jan and Dirk, a proof of concept for the integration of CAcert and OpenID was designed.
• Among members who are still active, there is generally a spirit of friendship; CAcert's own management culture leads its active members to seek consensus; under Brian's leadership for many years, the association has managed to avoid a repeat of the in-house conflict of 2015.
• CAcert remains still the only free and open CA that can help to verify user identities in a non-commercial fashion via our Web of Trust.
• Facts relating to the ability of CAcert to evolve
• In line with the predominant location of its active members, CAcert has moved its head office from Australia to Europe in 2021 (Geneva, Switzerland) thanks to the involvement of Etienne. The transfer of CAcert in Switzerland leads to a much easier governance than in Australia.
• The wrongful freezing of CAcert's funds on the Paypal account opened in Australia has finally been resolved in 2021 after a year of dispute procedures, involving the local monetary authority, thanks to the work and determination of Etienne, Kevin and Frédéric G.
• The wrongful freezing of CAcert's funds on the Paypal account opened in Switzerland has finally been resolved in 2024 after several months of administrative procedures, involving the Monetary Authority of Singapore, thanks to the work of Frédéric G and Frédéric D.
• In order to integrate CAcert with OpenID, CAcert received financial support from the RIPE NCC in 2021, almost equivalent to a full financial year, thanks to the commitment of Frédéric D. and Brian. The project progressed and is now ready in a test version.
• Face-to-face interviews in different time zones, initiated by Brian and Frédéric D., with the participation of Jan and Dirk, were used in 2020 to recruit and assess the profiles of the various volunteers offering their help, from several continents.
• In the case of background checks on members called upon to hold critical positions in infrastructure management, the committee adopted in 2022, with the consensus of active members and thanks to the involvement of Bernhard, Brian and Dirk, an enforceable procedure, although not compatible with the policies of CAcert.
• Two proposals to provide CAcert with a renewed mission statement were provided by Dirk (OpenID - 2021) and Michael (bridge between CAs - 2023), demonstrating a willingness to evolve CAcert's usefulness.
• Nextcloud, a file sharing and collaboration platform, has been in use since 2022, thanks to Frédéric D.'s initiative and Sascha's involvement. Since then, files have been easier to draft, store and retrieve, making administrative tasks more efficient.
• From 2021, almost all the meetings have been switched from the old IRC channel to the Jitsi videoconferencing platform, thanks to Frédéric D.'s initiative. It has significantly increased the clarity, interactivity and speed of all meetings. Telegram and Threema channels have also been adopted for quick help requests between active members.

Facts in favour of closing down the business

Facts about the CAcert organisation

• Over the past five years, face-to-face identity certification by CAcert-approved assurers has ceased to operate, apart from on a very small and hobbyist scale; assurers registered in the CAcert database no longer respond to requests, with rare exceptions; they have de facto ceased to be active members; given the usual network externality effects, it is impossible once again to find the critical mass of certifiers; as a result, CAcert has lost its ability to maintain, let alone develop, a collaborative "web of trust".
• Over the last five years, the number of members still active in the running of CAcert has steadily declined and now stands at around ten, all but one of them in Europe. This extremely small number means that CAcert is unable to comply with its own security and redundancy rules, as imposed by its own policies; a clear path to the cul-de-sac.
• Over the last five years, with the exception of the CAcert committee, its other two main bodies (the Arbitration and the Policy Group) were no longer active and consulted, consequently have not provided any effective work since then. CAcert's ability to evolve and self-regulate has essentially been decapitated, prompting the committee to adopt a cautious and conservative attitude, as opposed to an entrepreneurial approach.
• Over the last five years, CAcert has identified the obsolescence of its main web application, but has been unable to upgrade it; according to Mantis, CAcert's bug tracking tool, in the last 5 years, 47 bugs were closed, but the proposed patches have not been put into production, which undermines the incentive to submit more patches in the future; in the autumn of 2023, the X.509 certificate generation service, which is at the heart of CAcert's business, was unavailable to the users for a quarter, causing CAcert's business to go from professional to amateur status.

 

Facts about working together as active members

• The management culture of consensus within CAcert favours the inertia of its active members in response to objections within the group; observed over the last five years, this culture has in practice worked against the implementation of any major technical work, to the extent that most tasks remain open for months, and more often years; the failure to put the work done into production leads to a natural psychological demotivation mechanism, which partly explains the attrition of active members.
• The distance between the remaining active members (one or two by country at most) greatly amplifies the linguistic and cultural barriers, eroding by a natural process the spontaneous motivation to make direct contact, outside planned meetings; this is a tough structural challenge for which we have not found a remedy.
• This inherently difficult environment has a deterrent effect on the few new volunteers, a tiny minority of whom continue to work for CACert over the long term; the lack of new staff means that the work cannot be done properly, and rapid resignations mean that key roles requiring experience cannot be filled.
• CAcert's work on integration with OpenID, which was initiated in 2021, has been hampered by a limited number of active members with programming skills to work with each other.
• The idea of redirecting CAcert as a bridge between the various certification authorities used in business, as Michael has proposed in May 2023, has been discussed several times, but without practical execution.
• Over the past five years, we have had a succession of treasurers, each of whom has had to pass on the financial records and online access to the accounts. Despite the serious difficulties encountered with Paypal in Australia, and the reluctance of some of the committee members to continue using this financial operator, a new Paypal account was opened in Switzerland, which was in turn frozen once again.
• The Paypal account opened in Australia, on which there is still a positive balance, has once again been blocked by Paypal.
• The positive side of successfully relocating our head office from Australia to Switzerland was nonetheless a long and difficult process, lasting almost three years. The last remaining difficulty is closing the Australian bank accounts, still in progress.

 

Facts outside CAcert

• The free and unlimited availability from Let's Encrypt of X.509 certificates for secure communications on the web weakens to the point of exhaustion the usefulness of the same service by CAcert, although Let's Encrypt only provides server certificates and does not provide any assurance or identification with those certificates.
• The proliferation of modern, secure point-to-point instant messaging services (not to mention webmails) is further reducing the practical use of encrypted email; because of the very design of the X.509 PKI architecture and the email-specific S/MIME implementation, the well-known phenomena of "network externality" are highly detrimental to the adoption of the CAcert service for email on anything other than a confidential scale.
• It is unrealistic to expect many professional players to place public trust in CAcert's root certificate in the future; this is the major reason why the CAcert service no more attract skilled contributors, is no longer really useful for signing documents and code and securing web communications, and why its original mission statement is no longer valid; in short, CAcert has use for educational and personal use, not other use cases.

 

Miscelleanous

• The following statement is more of an opinion than a fact, but it is worth considering when questioning the need to stop CAcert operations: CAcert's inability to evolve its technology, services and rules is not a bug, it's a feature™; it's not by chance, it's the very consequence of the rules the association has set itself. Nonetheless, CAcert is very changeable. New policies can be written and proposed at any time. Do we have the people and the energy to do it?
• All these points have been widely discussed by our predecessors in the association. The slow death of CAcert was already identified as such in 2017 and 2018 by our former colleague Kurt Fitzner. Same conclusion was diagnosed and written by the CAcert members Christophe Berger and Pierre-Olivier Mercier, security R&D engineers in Paris.

====== end document ­======