<p><b><?=_("PLEASE NOTE: Due to the large amounts of support questions, incorrectly directed emails may be over looked, this is a volunteer effort and directing general questions to the right place will help everyone, including yourself as you will get a reply quicker.")?></b></p>
<p><b><?=_("If you are contacting us about advertising, please use the form at the bottom of the website, the first contact form is not the correct place.")?></b></p>
<p><?=sprintf(_("If you are having trouble with your username or password, please visit our %swiki page%s for more information"),"<a href='http://wiki.cacert.org/wiki/FAQ/LostPasswordOrAccount' target='_new'>","</a>");?></p>
<p><?=_("Before contacting us, be sure to read the information on our official and unofficial HowTo and FAQ pages.")?> - <ahref="http://www.CAcert.org/help.php"><?=_("Go here for more details.")?></a></p>
<p><?=_("Before contacting us, be sure to read the information on our official and unofficial HowTo and FAQ pages.")?> - <ahref="//wiki.cacert.org/HELP/"><?=_("Go here for more details.")?></a></p>
<p><?=_("General questions about CAcert should be sent to the general support list, please send all emails in ENGLISH only, this list has many more volunteers then those directly involved with the running of the website, everyone on the mailing list understands english, even if this isn't their native language this will increase your chance at a competent reply. While it's best if you sign up to the mailing list to get replied to, you don't have to, but please make sure you note this in your email, otherwise it might seem like you didn't get a reply to your question.")?></p>
<p><ahref="https://lists.cacert.org/wws/info/cacert-support"><?=_("Click here to go to the Support List")?></a></p>
<p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<ul>
<li><ahref="#whatFor"><?=_("What is it for?")?></a></li>
<li><ahref="#whyEmails"><?=_("Why digitally sign your own emails?! (weirdo..)")?></a></li>
<li><ahref="#freedom"><?=_("How it prepares us to protect our freedom")?></a></li>
<li><ahref="#whyAdopt"><?=_("Why isn't it being adopted by everyone?")?></a></li>
<li><ahref="#whyAccept"><?=_("Why is the digital signature described as 'not valid/not trusted'?")?></a></li>
<li><ahref="#proof"><?=_("But, er, is this really proof of your email identity?")?></a></li>
<li><ahref="#gimme"><?=_("How do I create my own digital signature?!")?></a><br></li>
<li><ahref="#encrypt"><?=_("I can't wait to start sending encrypted emails!")?></a></li>
<li><ahref="#notes"><?=_("Notes for the strangely curious")?></a></li>
<li><ahref="#refs"><?=_("References")?></a></li>
</ul>
<br>
<h3><aname="whatFor"></a><?=_("What is it for?")?></h3>
<p><?=_("The purpose of digital signing is to prove, electronically, one's identity")?>. <?=_("You see this all the time on the Internet - every time you go to a secure page on a web site, for example to enter personal details, or to make a purchase, every day you browse web sites that have been digitally signed by a Certificate Authority that is accepted as having the authority to sign it. This is all invisible to the user, except that you may be aware that you are entering a secure zone (e.g. SSL and HTTPS).")?></p>
<p><?=_("Your browser includes special digital (root) certificates from a number of these 'Certificate Authorities' by default, and all web sites use certificates that are validated by one of these companies, which you as a user implicitly trust every time you go to the secure part of a web site. (You might ask, who validates the security of the Certificate Authorities, and why should you trust them?!")?>.... <ahref="#notes"><?=_("Good question")?></a>.)</p>
<p><?=_("Digital signing thus provides security on the Internet.")?></p>
<h3><aname="whyEmails"></a><?=_("Why digitally sign your own emails?! (weirdo..)")?></h3>
<p><?=_("Emails are not secure. In fact emails are VERY not secure!")?></p>
<p><?=_("To get from computer Internet User A to Internet User B an email may pass through tens of anonymous computers on the Internet. These 'Internet infrastructure' computers are all free to inspect and change the contents of your email as they see fit. Governments systematically browse the contents of all emails going in/out/within their country, e.g. the")?><ahref="http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/"><?=_("UK Government has done this since the year 2000")?></a>. (<ahref="#freedom"><?=_("How it prepares us to protect our freedom")?></a>). <?=_("Ever requested a password that you lost to be emailed to you? That password was wide open to inspection by potential crackers.")?></p>
<p><?=_("As anyone who has received an email containing a virus from a strange address knows, emails can be easily spoofed. The identity of the sender is very easy to forge via email. Thus a great advantage is that digital signing provides a means of ensuring that an email is really from the person you think it is. If everyone digitally signed their emails, it would be much easier to know whether an email is legitimate and unchanged and to the great relief of many, spamming would be much easier to control, and viruses that forge the sender's address would be obvious and therefore easier to control.")?></p>
<h3><aname="freedom"></a><?=_("How it prepares us to protect our freedom")?></h3>
<p><?=_("But perhaps, fundamentally, the most important reason for digital signing is awareness and privacy. It creates awareness of the (lack of) security of the Internet, and the tools that we can arm ourselves with to ensure our personal security. And in sensitising people to digital signatures, we become aware of the possibility of privacy and encryption.")?></p>
<p><?=_("Most people would object if they found that all their postal letters are being opened, read and possibly recorded by the Government before being passed on to the intended recipient, resealed as if nothing had happened. And yet this is what happens every day with your emails (in the UK). There are some who have objected to this intrusion of privacy, but their voices are small and fall on deaf ears. However the most effective way to combat this intrusion is to seal the envelope shut in a miniature bank vault, i.e. encrypt your email. If all emails were encrypted, it would be very hard for Government, or other organisations/individual crackers, to monitor the general public. They would only realistically have enough resources to monitor those they had reason to suspect. Why? Because encryption can be broken, but it takes a lot of computing power and there wouldn't be enough to monitor the whole population of any given country.")?></p>
<p><?=_("The reason digital signatures prepare us for encryption is that if everyone were setup to be able to generate their own digital signatures, it would be technically very easy to make the next step from digital signatures to encryption. And that would be great for privacy, the fight against spamming, and a safer Internet.")?></p>
<h3><aname="whyAdopt"></a><?=_("Why isn't it being adopted by everyone?")?></h3>
<p><?=_("Of the biggest reasons why most people haven't started doing this, apart from being slightly technical, the reason is financial. You need your own certificate to digitally sign your emails. And the Certificate Authorities charge money to provide you with your own certificate. Need I say more. Dosh = no thanks I'd rather walk home. But organisations are emerging to provide the common fool in the street with a free alternative. However, given the obvious lack of funding and the emphasis on money to get enrolled, these organisations do not yet have the money to get themselves established as trusted Certificate Authorities. Thus it is currently down to trust. The decision of the individual to trust an unknown Certificate Authority. However once you have put your trust in a Certificate Authority you can implicitly trust the digital signatures generated using their certificates. In other words, if you trust (and accept the certificate of) the Certificate Authority that I use, you can automatically trust my digital signature. Trust me!")?></p>
<h3><aname="whyAccept"></a><?=_("Why is the digital signature described as 'not valid/not trusted'?")?></h3>
<p><?=_("To fully understand, read the section directly above. I am using a free Certificate Authority to provide me with the ability to digitally sign my emails. As a result, this Certificate Authority is not (yet) recognised by your email software as it is a new organisation that is not yet fully established, although it is probably being included in the Mozilla browser. If you choose to, you can go the their site at CAcert.org to install the root certificate. You may be told that the certificate is untrusted - that is normal and I suggest that you continue installation regardless. Be aware that this implies your acceptance that you trust their secure distribution and storing of digital signatures, such as mine. (You already do this all the time). The CAcert.org root certificate will then automatically provide the safe validation of my digital signature, which I have entrusted to them. Or you can simply decide that you've wasted your time reading this and do nothing (humbug!). Shame on you! :-)")?></p>
<h3><aname="proof"></a><?=_("But, er, is this really proof of your email identity?")?></h3>
<p><?=_("Security is a serious matter. For a digital certificate with full rights to be issued to an individual by a Certificate Authority, stringent tests must be conducted, including meeting the physical person to verify their identity. At the current moment in time, my physical identity has not been verified by CAcert.org, but they have verified my email address. Installing their root certificate (see above) will thus automatically allow you to validate my digital signature. You can then be confident of the authenticity of my email address - only I have the ability to digitally sign my emails using my CAcert.org certificate, so if you get an email that I digitally signed and which is validated by your email software using the CAcert.org root certificate that you installed, you know it's from me. (Visually you get a simple indication that my email is signed and trusted). Technically, they haven't verified that I really am me! But you have the guarantee that emails from my address are sent by the person who physically administers that address, i.e. me! The only way that someone could forge my digital signature would be if they logged on to my home computer (using the password) and ran my email software (using the password) to send you a digitally signed email from my address. Although I have noticed the cats watching me logon...")?></p>
<h3><aname="gimme"></a><?=_("Cool man! How do I create my own digital signature?!")?></h3>
<p><?=_("Easy. Ish. Go to CAcert.org, install their root certificate and then follow their joining instructions. Once you have joined, request a certificate from the menu. You will receive an email with a link to the certificate. Click on the link from your email software, and hopefully it will be seamlessly installed. Next find the security section of the settings in your email software and configure digital signatures using the certificate you just downloaded. Hmm. Call me if you want, I'll guide you through it.")?></p>
<h3><aname="encrypt"></a><?=_("I can't wait to start sending encrypted emails!")?></h3>
<p><?=_("There's nothing to it. I mean literally, you can already start sending your emails encrypted. Assuming of course you have your own digital signature certificate (e.g. as per above), and the person you want to send an encrypted email to also has a digital signature certificate, and has recently sent you a digitally signed email with it. If all these conditions hold, you just have to change the settings in your email software to send the email encrypted and hey presto! Your email software (probably Outlook I guess) should suss out the rest.")?></p>
<h3><aname="notes"></a><?=_("Notes for the strangely curious")?></h3>
<p><?=_("You are putting your trust in people you don't know!")?><br><?=_("One assumes that if a site has an SSL certificate (that's what enables secure communication, for exchanging personal details, credit card numbers, etc. and gives the 'lock' icon in the browser) that they have obtained that certificate from a reliable source (a Certificate Authority), which has the appropriate stringent credentials for issuing something so vital to the security of the Internet, and the security of your communications. You have probably never even asked yourself the question of who decided to trust these Certificate Authorities, because your browser comes with their (root) certificates pre-installed, so any web site that you come across that has an SSL certificate signed by one of them, is automatically accepted (by your browser) as trustworthy.")?></p>
<p><?=_("Thus, having now asked the question, you suppose that it's the people who make the browser software that have carefully decided who is a trustworthy Certificate Authority. Funnily enough, the mainstream browsers have not, historically, had public policies on how they decide whether a Certificate Authority gets added to their browser. All of the Certificate Authorities that have found themselves in the browser software, are big names, probably with big profits (so they must be doing a good job!).")?></p>
<p><?=_("That situation has changed, and Internet Explorer, being the most obvious example, now insists that any Certificate Authorities are 'audited' by an 'independent' organisation, the American Institute for Certified Public Accountant's (AICPA). So now, if you have the money needed (from US$75000 up to US$250000 and beyond) you can get these accountants, who clearly know a lot about money, to approve you as having the required technical infrastructure and business processes to be a Certificate Authority. And they get a nice wad of money for the pleasure. And the Certificate Authorities, having a kind of monopoly as a result, charge a lot for certificates and also get a nice wad of money. And everyone's happy.")?></p>
<p><?=_("But, with all this money, and all this responsibility, they must be taking a lot of care to ensure the Certificate Authorities do their jobs well, and keep doing their jobs well, right? Well right?!")?></p>
<p><?=_("And they are making mistakes")?></p>
<p><?=_("So if you don't pass the audit, you don't get to be a Certificate Authority. And to pass the audit, well, you've got to show that you can do a good job issuing certificates. That they're secure, you only give them to the right people, etc. So what happens when you make a mistake and you erroneously issue a certificate that risks the entire Internet browsing population, like Verisign did? Well, er, nothing actually. They already paid for their audit, and damn it, they're so big now, we couldn't possibly revoke their Certificate Authority status. (There's too much money at stake!)")?></p>
<h3><?=_("So, dammit, what's the point of all this then?")?></h3>
<p><?=_("The point is, as the current situation holds, you should be wary of anyone making decisions for you (i.e. pre-installed certificates in your browser), and you should be weary of anyone else's certificates that you install. But at the end of the day, it all boils down to trust. If an independent Certificate Authority seems to be reputable to you, and you can find evidence to support this claim, there's no reason why you shouldn't trust it any less than you implicitly trust the people who have already made mistakes.")?></p>
<h3><aname="refs"></a><?=_("References")?></h3>
<p><ahref="http://www.schneier.com/paper-pki.pdf"><?=_("Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure")?></a> - http://www.counterpane.com/pki-risks.pdf</p>
<p><ahref="http://www.webtrust.org/certauth.htm"><?=_("WebTrust for Certification Authorities")?></a> - http://www.webtrust.org/certauth.htm</p>
<p><ahref="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp"><?=_("Erroneous Verisign Issued Digital Certificates Pose Spoofing Hazard")?></a> - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-017.asp</p>
<p><ahref="http://www.homeoffice.gov.uk/crimpol/crimreduc/regulation/index.html"><?=_("The Regulation of Investigational Powers Act (RIPA)</a> ('Snooping Bill' official gov site, UK)")?> - http://www.homeoffice.gov.uk/crimpol/crimreduc/regulation/index.html</p>
<p><ahref="http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/"><?=_("U.K. e-mail snooping bill passed")?></a> (UK) - http://www.cnn.com/2000/TECH/computing/07/28/uk.surveillance.idg/</p>
<p><?=_("Disclaimer : These are the author's opinions, but they should not be considered 'truth' without personal verification. The author may have made mistakes and any mistakes will be willingly rectified by contacting the administrator of elucido.net, contact details available from the normal domain registration information services (e.g. whois.net). No recommendation to install a Certificate Authority's root certificate is either intended nor implied.")?></p>
<p><?printf(_("The page has been reproduced on %s with explicit permission from %sthe author%s with the information being copyrighted to the author (name with held by request)"),"<a href='http://www.CAcert.org'>CAcert.org</a>","<a href='http://elucido.net/'>","</a>")?></p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<h3><?=_("Generating a Key Pair and Certificate Signing Request (CSR) for a Microsoft Internet Information Server (IIS) 5.0.")?></h3>
<p><?=_("To generate a public and private key pair and CSR for a Microsoft IIS 5 Server:")?></p>
<olclass="tutorial">
<li><b><?=_("Key generation process")?></b><br/>
<?=_("Under 'Administrative Tools', open the 'Internet Services Manager'. Then open up the properties window for the website you wish to request the certificate for. Right-clicking on the particular website will open up its properties.")?><br/>
<imgsrc="iistutorial/image001.jpg"height="453"width="642"alt="<?=_("Screenshot of IIS 5.0")?>"/><br/>
<imgsrc="iistutorial/image002.jpg"height="453"width="463"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<?=_("In the 'Directory Security' folder click on the 'Server Certificate' button in the 'Secure communications' section. If you have not used this option before the 'Edit' button will not be active.")?><br/>
<imgsrc="iistutorial/image003.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Select 'Create a new certificate'")?></b><br/>
<?=_("Now 'Create a new certificate'.")?><br/>
<imgsrc="iistutorial/image004.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Prepare the request")?></b><br/>
<?=_("You'll prepare the request now, but you can only submit the request via the online request forms. We do not accept CSRs via email.")?><br/>
<imgsrc="iistutorial/image005.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Enter a certificate name and select Certificate strength")?></b><br/>
<?=_("Select 'Bit length'. We advise a key length of 1024 bits.")?><br/>
<imgsrc="iistutorial/image006.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/><br/>
<br/>
<?=_("You have now created a public/private key pair. The private key is stored locally on your machine. The public portion is sent to CAcert in the form of a CSR.")?><br/>
<br/>
<?=_("You will now create a CSR. This information will be displayed on your certificate, and identifies the owner of the key to users. The CSR is only used to request the certificate. The following characters must be excluded from your CSR fields, or your certificate may not work:")?><pstyle="color: red;">! @ # $ % ^ * ( ) ~ ? ><& / \</p>
</li>
<li><b><?=_("Enter your Organisation Information")?></b><br/>
<?=_("Enter the Organisation name: this must be the full legal name of the Organisation that is applying for the certificate.")?><br/>
<br/>
<?=_("The Organisational Unit field is the 'free' field. It is often the department or Server name for reference.")?><br/>
<imgsrc="iistutorial/image007.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Enter your Common Name")?></b><br/>
<?=_("The Common Name is the fully qualified host and Domain Name or website address that you will be securing. Both 'www.CAcert.org' and 'secure.CAcert.com' are valid Common Names. IP addresses are usually not used.")?><br/>
<imgsrc="iistutorial/image008.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Enter the geographical details")?></b><br/>
<?=_("Your country, state and city.")?><br/>
<imgsrc="iistutorial/image009.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Choose a filename to save the request to")?></b><br/>
<?=_("Select an easy to locate folder. You'll have to open this file up with Notepad. The CSR must be copied and pasted into our online form. Once the CSR has been submitted, you won't need this CSR any more as IIS won't reuse old CSR to generate new certificates.")?><br/>
<imgsrc="iistutorial/image010.gif"height="386"width="503"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Confirm your request details")?></b></li>
</ol>
<p><?=_("Finish up and exit IIS Certificate Wizard")?></p>
<h3><?=_("Certificate Installation process for IIS 5.0")?></h3>
<p><?=_("After your certificate has been emailed to you, follow this process to install the certificate.")?></p>
<olclass="tutorial">
<li><b><?=_("Saving the certificate")?></b><br/>
<?=_("Copy the contents of the email including the")?>
<code>-----END CERTIFICATE-----</code><?=_("lines. Do not copy any extra line feeds or carriage returns at the beginning or end of the certificate. Save the certificate into a text editor like Notepad. Save the certificate with an extension of .cer and a meaningful name like certificate.cer")?><br/><br/>
<imgsrc="iistutorial/image011b.png"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Installation steps")?></b><br/>
<?=_("Return to the 'Internet Information Services' screen in 'Administrative Tools' under 'Control Panel'. Right click on 'Default Web Site' and select 'Properties'.")?><br/>
<imgsrc="iistutorial/image001.jpg"height="453"width="642"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Select the Directory Security tab")?></b><br/>
<?=_("Select 'Server Certificate' at the bottom of the tab in the 'Secure communications' section.")?><br/>
<imgsrc="iistutorial/image002.jpg"height="453"width="463"alt="<?=_("Screenshot of IIS 5.0")?>"/><br/></li>
<li><b><?=_("In the 'IIS Certificate Wizard' you should find a 'Pending Certificate Request'.")?></b><br/>
<?=_("Ensure 'Process the pending request and install the certificate' is selected and click on 'Next'.")?><br/>
<imgsrc="iistutorial/image012.gif"height="388"width="506"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Browse to the location you saved the .cer file to in step 1")?></b><br/>
<?=_("Select the .cer file and click 'Next'.")?><br/>
<imgsrc="iistutorial/image013.gif"height="388"width="505"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("Ensure that you are processing the correct certificate")?></b><br/>
<?=_("...then click 'Next'.")?><br/>
<imgsrc="iistutorial/image014.jpg"height="390"width="506"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
<li><b><?=_("You will see a confirmation screen.")?></b><br/>
<?=_("When you have read this information, click 'Finish'.")?><br/>
<imgsrc="iistutorial/image015.gif"height="390"width="507"alt="<?=_("Screenshot of IIS 5.0")?>"/></li>
</ol>
<p><b><?=_("And you're done!")?></b></p>
<p><?=_("For more information, refer to your server documentation or visit")?><ahref="http://support.microsoft.com/support/"><?=_("Microsoft Support Online")?></a>.</p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><?=_("Firstly you will need to run the following command, preferably in secured directory no one else can access, however protecting your private keys is beyond the scope of this document.")?></p>
<p><?=_("Finally you will be asked information about 'extra' attribute, you simply hit enter to both these questions.")?></p>
<p><?=_("Next step is that you submit the contents of server.csr to the CAcert website, it should look *EXACTLY* like the following example otherwise the server may reject your request because it appears to be invalid.")?></p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><?=_("Firstly you need to join CAcert to do that go:")?><ahref='https://www.cacert.org/index.php?id=1'><?=("here")?></a></p>
<p><?=_("Then you need to generate a Certificate Signing Request, for more details go:")?><ahref=http://www.cacert.org/help.php><?=_("here")?></a></p>
<p><?=_("You then need to add the domain you have control of to your account, which you can do:")?><ahref='https://www.cacert.org/account.php?id=7'><?=_("here")?></a></p>
<p><?=_("System will send you an email with a link in it, you just open the link in a webbrowser.")?></p>
<p><?=_("Then you need to submit the contents from the CSR file to CAcert, you need to go:")?><ahref='https://www.cacert.org/account.php?id=10'><?=_("here")?></a></p>
<p><?=_("CAcert then sends you an email with a signed copy of your certificate. Hopefully the rest should be pretty straight forward.")?></p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><?=_("In light of a request on the bugzilla list for more information about how our root certificate is protected I've decided to do a write up here and see if there is anything more people suggest could be done, or a better way of handling things altogether.")?></p>
<p><?=_("Currently there is 2 main servers, one for webserver, one for root store, with the root store only connected to the webserver via serial cable, with a daemon running as non-root processes on each end of the serial listening/sending requests/info.")?></p>
<p><?=_("If the root store detects a bad request it assumes the webserver is compromised and shuts itself down.")?></p>
<p><?=_("If the root store doesn't receive a 'ping' reply over the serial link within a determined amount of time it assumes the webserver is compromised or the root store itself has been stolen and shuts itself down.")?></p>
<p><?=_("Apart from the boot stuff, all data resides on an encrypted partition on the root store server and only manual intervention in the boot up process by entering the password will start it again.")?></p>
<p><?=_("The requests sent to the root store, are stored in a file for another process triggered by cron to parse and sign them, then stored in a reply file to be sent back to the webserver. Causing things to be separated into different users, basic privilege separation stuff. So being actually able to hack the serial daemons will only at the VERY worst cause fraudulent certificates, not the root to be revealed.")?></p>
<p><?=_("Why use serial you ask? Well certificate requests are low bandwidth for starters, then of course simpler systems in security are less prone to exploits, and finally serial code is pretty mature and well tested and hopefully all exploits were found and fixed a long time ago.")?></p>
<p><?=_("With the proposed root certificate changes, there would be a new root, this would sign at least 1 sub-root, then the private key stored offline in a bank vault, with the sub-root doing all the signing, or alternatively 2 sub-roots, 1 for client certificates, one for server, the thinking behind this, if any of the sub-roots are compromised they can be revoked and reissued.")?></p>
<p><?=_("Alternatively as things progress we can add more layers of security with say 4 webservers talking to 2 intermediate servers, talking to the root store, and acting in a token ring fashion, anything happening out of sequence, and the server directly upstream shuts itself down, which if that were in place and there were multiple paths, any down time in this fashion would fall over to the servers not compromised, anyways just some food for thought.")?></p>
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/ ?>
<p><i><?=_("Question: I'm a software developer for linux and I want to use CAcert/openssl to distribute my packages with detached signatures, is this possible and why would I do this over PGP/GPG detached signatures?")?></i></p>
<p><?=_("I'll anwser the why part first, as that's reasonably easy. The short answer is it takes most of the key handling responsibilty away from you and/or your group. If you need to revoke your key for any reason (such as a developer leaving the project) it won't effect your ability to revoke the existing key or keys, and issue new ones.")?></p>
printf(_("This page has been moved to the %swiki%s. Please update your ".
"bookmarks and report any broken links."),
'<ahref="//wiki.cacert.org/HELP/9">', '</a>');
?>
<h3><?=_("How can I do a single sign on similar to CAcert using client certificates?")?></h3>
<p><?=_("Firstly you need mod-ssl and apache setup (this is beyond the scope of this FAQ item and you will need to search on google etc for LAMP setup information). I recommend mod-ssl over apache-ssl because it means you need less resources to achieve the same result.")?></p>
<p><?=_("Once you have everything setup and working you will need to add lines similar to below to your apache.conf")?></p>
<p><?=_("Please note, you will need to alter the paths, hostname and IP of the above example, which is just that an example! The SSLCACertificateFile directive is supposed to point to a file with the root certificate you wish to verify your client certificates against, for the CAcert website we obviously only accept certificates issued by our own website and use our root certificate to initially verify this.")?></p>
<p><?=_("Once you have everything working and you've tested sending a client certificate to your site and you're happy all is well you can start adding code to PHP (or any other language you like that can pull server environment information). At present I only have PHP code available and the example is in PHP")?></p>
<p><b><?=_("PLEASE NOTE: Due to the large amounts of support questions, incorrectly directed emails may be over looked, this is a volunteer effort and directing general questions to the right place will help everyone, including yourself as you will get a reply quicker.")?></b></p>
<p><b><?=_("If you are contacting us about advertising, please use the form at the bottom of the website, the first contact form is not the correct place.")?></b></p>
<p><?=sprintf(_("If you are having trouble with your username or password, please visit our %swiki page%s for more information"),"<a href='http://wiki.cacert.org/wiki/FAQ/LostPasswordOrAccount' target='_new'>","</a>");?></p>
<p><?=_("Before contacting us, be sure to read the information on our official and unofficial HowTo and FAQ pages.")?> - <ahref="http://www.CAcert.org/help.php"><?=_("Go here for more details.")?></a></p>
<p><?=_("Before contacting us, be sure to read the information on our official and unofficial HowTo and FAQ pages.")?> - <ahref="//wiki.cacert.org/HELP/"><?=_("Go here for more details.")?></a></p>
<p><?=_("General questions about CAcert should be sent to the general support list, please send all emails in ENGLISH only, this list has many more volunteers then those directly involved with the running of the website, everyone on the mailing list understands english, even if this isn't their native language this will increase your chance at a competent reply. While it's best if you sign up to the mailing list to get replied to, you don't have to, but please make sure you note this in your email, otherwise it might seem like you didn't get a reply to your question.")?></p>
<p><ahref="https://lists.cacert.org/wws/info/cacert-support"><?=_("Click here to go to the Support List")?></a></p>
<p><?=_("You can alternatively use the form below, however joining the list is the prefered option to support your queries")?></p>
Mendel Mobach
13 years ago