View Issue Details

IDProjectCategoryView StatusLast Update
0001028Main CAcert Websitewebsite contentpublic2013-01-15 18:14
Reportermupan Assigned To 
Status closedResolutionwon't fix 
PlatformMain CAcert WebsiteOSN/A 
Fixed in Version2012 Q2 
Summary0001028: Improvement: Webformmailer: 1. Find recipients, 2. encrypt mails, 3. copy-to-self (-> ldap server)
Description1. I would appreciate to be able to contact every CACert login via the webformmailer. Easiest would be to add another entry to search the database not only for assurers, but for every user. To keep things simple, this could be in the place of the assurer search, just indicating the assurer status in an extra column.

It would further increase the value of the webformmailer much if it

2. encrypted any mails and

3. sent a copy-to-self to the sender's account, encrypted.

I can e.g. want to send an e-mail to an assuree, I know her / his e-mail address, but don't have her / his certificate stored in my certificate store (yet or maybe never). Ask for a signed mail and / or a fingerprint or whatever seems a bit of a hassle, but the webformmailer can be used immediately and will not reveal the key that the addressee maybe does not want to exchange with me.

If encryption turns out to be too much effort or a security issue (webformmailer would be given the right to query cacert's certificate store), I would appreciate to have a kind of private messages box in and could read online my incoming and outgoing mail, and would rather receive plain text notification mails to my e-mail account.

4. Query database for fingerprint / public key of every login
   (from bug 0001029)
Additional Informationthis feature request relates to a ldap / portal server solution
(outsourced from critical system)
PP 7 prevents a critical system implementation.
I recommend to open a discussion on the developers mailing list.
TagsNo tags attached.
Reviewed by
Test Instructions


has duplicate 0001029 closedUli60 Improvement: Query database for fingerprint / public key of every login 



2012-03-25 21:56

updater   ~0002894

Last edited: 2012-03-25 22:04

View 3 revisions top 7 prevents this to be included on the main website

7. Privacy of certificates

CAcert does not automatically publish the certificates through a directory service or the website to other people than the user who requested the certificate. In the future, the user might be able to opt-in for publication of the certificates through a directory server by CAcert.

A soltion can be a community run server, outsourced from critical system.
read also the recommendations to outsource the "find an assurer" database
ruled under

A 2nd option is to call for a policy change in policy group (but its more likely that this will not happen / voted through)


2012-03-25 22:09

reporter   ~0002896

Hi Uli60,

1. No conflict with PP 7.

2. The automatic encryption by the server mailing process would not reveal the certificate to the sender, just use it invisibly. So I don't see a conflict with PP 7 here so far either. But maybe the server process "webformmailer" is not allowed to see / query certificates, and to open holes in their separation is a security issue. This I would understand.

3. No conflict with PP 7, since a copy-to-self should only be encrypted if the mail to the communication partner is. I should have made an extra issue entry of this.

Hi Marek,

I think issues 1028 and 1029 don't depend.


2012-03-25 22:14

reporter   ~0002898

In this situation (yes, read problem carefully) certificate is not going to leave website, mail is sent and encrypted trough a website.

It could be solved by adding form familiar with assurer contact box.


2012-04-01 11:29

updater   ~0002919

"find an assurer" on main CAcert website is counting down.

Starting the BirdShack design, the "Find-an-Assurer" and related
infos/databases concept is outsourced. ruling goes the same way:
replace the location database and the recommendation to outsource these functionality to a community driven system.
A portal server is currently under development/deployment.

This concept is decoupled from the critical system in a way, that every member / assurer can add related information to an infrastructure system or not.
Its in the users decision.

"to search the database not only for assurers, but for every user." is prevented by policies. This phrase needs to be rewritten to:
"to search the (outsourced) database not only for assurers, but for every user who gaves his permission to do so"
So its in each users own decision if he wants to use this service and to support this service, by adding his public key to a central repository

CPS defines what information are known and which informations are given away with a signed key. This is the name and the email address.

Storing all public certs in a central repository allows spammers to spider
the central repository for email addresses (thats why I do not use GPG/PGP
as all keys and email addresses are visible on the centralized keyservers)

So this is why CAcert publishes no public keys on a central repository.
And probably this is also the main reason why the ldap project didn't make a success. The ldap server has been shut down in recent non-critical infrastructure maintenance tasks.

Automaticly publishing of public keys problem can only be circumvented if each user has to actively store his public key on a central repository. As this is an active process by each user, the permission for publishing these informations is given explicite


2012-04-02 18:34

reporter   ~0002920 does not answer my proposal, but discusses a different idea. Anyway ...


2012-04-02 18:37

reporter   ~0002921

Closed, not understood.

Issue History

Date Modified Username Field Change
2012-03-25 20:27 mupan New Issue
2012-03-25 20:53 MarekMazur Relationship added child of 0001029
2012-03-25 21:56 Uli60 Note Added: 0002894
2012-03-25 21:57 Uli60 Severity minor => feature
2012-03-25 22:00 Uli60 Note Edited: 0002894 View Revisions
2012-03-25 22:04 Uli60 Note Edited: 0002894 View Revisions
2012-03-25 22:09 Uli60 Relationship deleted child of 0001029
2012-03-25 22:09 mupan Note Added: 0002896
2012-03-25 22:11 Uli60 Relationship added has duplicate 0001029
2012-03-25 22:14 MarekMazur Note Added: 0002898
2012-03-25 22:15 Uli60 Summary Improvement: Webformmailer: 1. Find recipients, 2. encrypt mails, 3. copy-to-self => Improvement: Webformmailer: 1. Find recipients, 2. encrypt mails, 3. copy-to-self (-> ldap server)
2012-03-25 22:15 Uli60 Additional Information Updated View Revisions
2012-04-01 11:01 Uli60 Description Updated View Revisions
2012-04-01 11:01 Uli60 Additional Information Updated View Revisions
2012-04-01 11:29 Uli60 Note Added: 0002919
2012-04-02 18:34 mupan Note Added: 0002920
2012-04-02 18:37 mupan Note Added: 0002921
2012-04-02 18:37 mupan Status new => closed
2012-04-02 18:37 mupan Resolution open => won't fix
2013-01-15 18:14 Werner Dworak Fixed in Version => 2012 Q2