CAcert.org
Werner Dworak, Dirk Astrath
CAcert is a community- run, non- commercial CA (Certification Authority or CA), which is operated by the non-profit organization registered in Australia CAcert Incorporated. CAcert is for everyone free of X.509 certificates for different purposes and should be an alternative to commercial CAs that charge very high fees for their certificates to some extent.
- 2.1 Client Certificates
- 2.2 Server Certificates
Organization
Carrier of CAcert CAcert Incorporated, one in the Australian state of New South Wales under the number INC9880170 registered non-profit organization that is organized in the form of an association. Accordingly, there is a Board of Directors consisting of seven persons. The membership of the association, however, can only be obtained when two members support the candidate and the Board agrees.
The CAcert certification body operates on multiple servers, the operation was transferred to the charitable organization secure- u eV since August 2013. Is handled certificate creation through the website of CAcert in the protected members area.
The processes and conditions for the use of CAcert are governed by a set of guidelines (policies ), of which the CAcert Community Agreement is the most important, since each user must accept this agreement and for a confirmation of identity and signs. Other standards govern, inter alia, the procedure for confirmation of personal or organizational data.
Web of Trust
No membership in the association is required for the issuance of certificates. Instead, the users of CAcert certificates in a trust network (Web of Trust) are organized. Each user has to have an account with full name, date of birth and email address. In addition to an access password, the user must also define five security questions, know their correct answers only themselves. If you lose the password, these questions must be answered correctly in order to obtain access to the account.
Each account is assigned a score. The number of points ranges from 0 initially to a maximum of 150 points and represents the trustworthiness of the personal data contained in the certificates. Points can be gained by the members of the web of trust meet in person, verify their identity, they confirm to CAcert and thereby obtain a certain number of points.
The number of tested CAcert members was on December 1, 2013 in approximately 261,000 users with almost 76,000 valid certificates.
Arbitration body
To CAcert also includes a conciliation body ( Arbitration), which works on the basis of private law arbitration law and in violation of the Terms of Use or misuse of certificates at the request of activities and may impose fines of up to an altitude of 1,000 euros. The arbitration board shall retain in the event of impending civil disputes from costly lawsuits CAcert users. Also, the modification or correction of the identity data is edited through the Schlichtungsweg. The procedure in the arbitration proceedings shall be governed by a separate policy.
Certificates
Immediately after the registration of the user account can be immediately as many certificates issue. These contain only the checked by an automatic test e- mail e- mail address, as the name (Common Name) " CAcert WoT User " field. After the receipt of at least 50 points, also personalized certificates under registered names can exhibit.
In addition to the issuance of certificates and PGP or OpenPGP key of the CA can be signed.
Client certificates
In addition to the primary email address of the account more e- mail addresses can be registered. For each e- mail address or several in combination certificates can be issued. They are used for example to encrypt and sign e -mails and other data and can be used for password-less authentication servers - the CAcert site itself supports this application with certificate.
From a score of 100 and certificates can be issued on request, which can be used to sign software ( code signing ).
Server Certificates
Server certificates to the membership of a server to a person or company to confirm and serve as the basis for secure SSL / TLS connections. There are several services for which server certificates are used. These include, inter alia, HTTPS, SFTP, SMTPS, POP3S and IMAPS. CAcert also offers such certificates, but these initially contain only the domain name, and no information about the person or organization which, although encryption is possible, but no identity confirmation. With the organization Assurance but it is also possible for organizations to be assessed on their identity by specially trained CAcert members. Subsequently, the organizational data can be recorded in server certificates.
Identity verification
The verification of the identity found in commercial certificate exhibitors usually centralized instead of the exhibitor. CAcert delegated this task ( Assurance ) to the Web of Trust: An experienced user who has at least 100 points and an online " Assurerprüfung " successfully passed ( assurer ), reviewed by officially issued photo ID (eg ID card, passport, driving license, etc.) in a personal meeting, the identity of another user ( assurée ) and may award up to 35 points in case of success, which are assigned to the assurée about the CAcert website. The confirmation process is documented in writing and signed by the assurer and assurée; (also called " CAP- Form") this " identity verification form " is then kept by the assurer for at least seven years. In order to achieve a level of 50 points, at least two confirmations by different assurer is required ( four-eyes principle).
As an alternative exists " Trusted Third Party " program (TTP ), through which an examination by a trusted third party (notaries, banks, etc. ) is possible. This program will allow Assurance in regions where the Assurerdichte is still low, hereby leave at the time but only reach a maximum of 70 points. In September 2013 there was the opportunity for the U.S., Puerto Rico and Australia; for Brazil, Norway, the United Kingdom, New Zealand, India and South Africa, the TTP is in preparation. Is not offered more testing by third parties in Germany, Austria, Switzerland and the Netherlands, since enough assurers are everywhere present.
At a level of 100 points, a member can obtain by other assurer no further points. However, two points are awarded for each self- performed Assurance. After the confirmation of 25 people maximum score of 150 points is reached; Additional Assurances increase the score no further, but still counted and registered as a faulty Assurance can in principle be annulled by an arbitration decision.
The score of an account determines the status of the member / Assurers and influenced the certificate properties as follows:
Exception: Minors assurers can issue a maximum of 10 points regardless of their score.
On December 1, 2013 were 5,700 members tested assurer, about 10,300 people had the status of a potential Assurers.
Trustworthiness
For commercial vendors no certificates can be requested free of charge, where the name of the user is included in the certificate. CAcert allows this, however, CAcert is in contrast to commercial CAs in many e- mail clients and web browsers not listed as a trusted CA in the certificate database. A user connects to a server using CAcert certificate will therefore receive a message that the origin of the certificate could not be verified. Analogously, one can not check the e -mail signature of a client certificate. However, the user can import the root certificates from CAcert manually and thus classify as trustworthy, according to which all issued by CAcert certificates will be accepted without warning.
Efforts on the part CAcert, in free software, the Mozilla family (Firefox, Thunderbird) to be integrated as a trusted publisher for a root certificate were, so far unsuccessfully. The Mozilla Foundation has also the criteria for the admission of new root certs publicly discussed and tightened as a result, stay with old Certs but obtained from practical considerations. Requires an audit, the organization, processes and technology will be reviewed; CAcert myself have had an impact on the development of these criteria.
Due to restructuring in the direction of CAcert has the organization end of April 2007, returned to the application for inclusion in the root chain of Mozilla products for a short time after 3 1/2 years of discussion with the Mozilla Foundation. Since then, in the audit, which is necessary for recording, and worked on other quality assurance measures.
A number of other software products as well as open source distributions, however, have integrated the CAcert root certificate.