CAcert

CAcert Incorporated
legal form	society
founding	July 24, 2003
founder	Duane Groth
Seat	Murwillumbah , Australia ( ⊙ coordinates: 28 ° 19 ′ 50.6 ″ S , 153 ° 24 ′ 51.1 ″ E )
main emphasis	Jointly operated certification body
Action space	worldwide
people	Dirk Astrath
Volunteers	5600
Website	www.cacert.org

CAcert is a community-driven, non-commercial CA (Certification Authority, CA for short), which from that in Australia registered -non profit organization CAcert Incorporated is operated. CAcert provides free for everyone X.509 - certificates for different purposes, and should be an alternative to the commercial CAs that charge for very high fees for their certificates.

organization

CAcert is sponsored by CAcert Incorporated , a non-commercial organization registered in the Australian state of New South Wales under number INC9880170, which is organized in the form of an association . Accordingly, there is a board of directors consisting of seven people. Membership in the association can only be obtained if two members support the candidate and the board of directors agrees.

The CAcert certification authority is operated on several servers, whose operation has been transferred to the non-profit association secure-u e. V. was transferred. The creation of the certificate is carried out via the CAcert website in the protected member area.

The processes and conditions for using CAcert are regulated by a series of guidelines (policies) , of which the CAcert Community Agreement is the most important, as every user must accept this agreement and sign it when confirming their identity. Further guidelines regulate u. a. the procedure for confirming personal or organizational data.

Trust network

Membership in the association is not required to issue certificates. Instead, the users of CAcert certificates are organized in a trust network (Web of Trust) . Each user maintains a user account with their full name, date of birth and email address . In addition to an access password , users must also define five security questions , the correct answers of which only they know themselves. If the password is lost, these questions must be answered correctly in order to gain access to the user account.

A point balance is assigned to each account. The number of points ranges from 0 to a maximum of 150 points and represents the trustworthiness of the personal data contained in the certificates. Points can be gained by meeting members of the Web of Trust in person, checking their identity, confirming this to CAcert and thus receiving a certain number of points.

The number of audited CAcert members on September 10, 2014 was around 287,000 users with just under 78,500 valid certificates.

Arbitration Board

CAcert to include an arbitration body (arbitration) , which works on the basis of private law arbitration law and at the request of acts in violation of the Terms of Use or misuse of certificates and fines may be imposed up to a height of 1,000 euros. The arbitration board aims to protect CAcert users from costly legal proceedings in the event of impending civil law disputes. The change or correction of the identity data is also processed via the arbitration process. The procedure in the arbitration procedure is regulated by a separate policy.

Certificates

Any number of certificates can be issued immediately after registering the user account. These only contain the e-mail address checked by an automatic test e-mail; “CAcert WoT User” is entered as the name (common name) . After receiving at least 50 points, personalized certificates with a registered name can also be issued.

In addition to issuing certificates, PGP or OpenPGP keys can also be signed by the CA.

Client certificates

In addition to the primary email address of the user account, other email addresses can be entered. Certificates can be issued for each e-mail address or several in combination. They are used, for example, to encrypt and sign e-mails and other data and can be used for passwordless authentication on servers - the CAcert website itself supports this login with certificate.

With a score of 100 or more, certificates can be issued on request that can be used to sign software (code signing) .

Server certificates

Server certificates are intended to confirm that a server belongs to a person or company and serve as the basis for encrypted SSL / TLS connections. There are various services that use server certificates. These include a. HTTPS , SFTP , SMTPS , POP3S and IMAPS . CAcert also offers such certificates, but initially only contains the domain name and no information about the person or organization, which means that encryption is possible, but no confirmation of identity. With Organization Assurance , there is also the possibility for organizations to have their identity checked by specially trained CAcert members. The organizational data can then be included in server certificates.

Identity verification

The verification of the identity of commercial certificate issuers usually takes place centrally at the issuer. CAcert delegates this task (assurance) to the trust network: An experienced user who has successfully passed at least 100 points and an online "Assurer test" checks using officially issued photo IDs (e.g. ID card , passport , driver's license , etc. ) The identity of another user (Assuree ) at a personal meeting and, if successful, may award up to 35 points, which are assigned to the Assuree via the CAcert website. The confirmation process is documented in writing and signed by the Assurer and Assuree; this “identity verification form” (also called “CAP form”) is then kept by the assurer for at least seven years. In order to achieve a score of 50 points, at least two confirmations from different assurers are required ( multiple eyes principle ).

As an alternative, there is the “Trusted Third Party Program” (TTP), through which a check can be carried out by trusted third parties ( notaries , banks, etc.). This program is intended to enable assurance in regions in which the density of assurers is still low, but only a maximum of 70 points can be achieved with this at the moment. In September 2013 this opportunity was available for the USA , Puerto Rico , Virgin Islands and Australia ; the TTP is in preparation for Brazil , Norway , the United Kingdom , New Zealand , India and South Africa . Testing by third parties is no longer offered in Germany , Austria , Switzerland and the Netherlands , as there are enough assurers across the board.

At a score of 100 points, a member cannot receive any further points from other assurers. However, 2 points are credited for each self-performed assurance. After confirmation from 25 people, the maximum number of points of 150 points is achieved; additional assurances do not increase the number of points, but are still counted and registered, since a faulty assurance can in principle become null and void through an arbitration decision.

The score of an account determines the status of the member / assurer and influences the certificate properties as follows:

Points	status	requirement	meaning
000_! 000- 049	Unconfirmed member	Verification of the email address or domain	Anonymous client and server certificates (valid for 6 months) can be issued.
050_! 050- 099	Confirmed member		The member's name is included in the certificate, client and server certificates are valid for 24 months, and PGP keys can be signed.
100_! 100	Potential assurer		Maximum number of points that can be achieved by other assurers.
101_! 100-109	Assurer	Passed assurer test	Third parties can be verified. There are 2 points for each assurance. Creation of code-signing certificates (valid for 12 months) possible after manual application. Can become an organization admin. 10 points can be awarded.
101_! 110-119		5 members Assured	15 points can be awarded.
101_! 120-129		10 members Assured	20 points can be awarded.
101_! 130-139		15 members Assured	25 points can be awarded.
101_! 140-149		20 members Assured	30 points can be awarded.
150_! 150		25 members Assured	Maximum number of points achieved. 35 points can be awarded. Can become an organization assurer.

Exception: Underage assurers can award a maximum of 10 points regardless of their score.

As of December 1, 2013, 5,700 members were certified assurers, around 10,300 people had the status of potential assurer.

trustworthiness

Microsoft Internet Explorer strongly recommends not to enter the site.

Mozilla Firefox shows an error message if the CAcert root certificates are not imported.

Certificates can not be applied for free of charge from commercial providers if the name of the user is included in the certificate. CAcert enables this, but unlike commercial CAs, CAcert is not entered in the certificate database as a trusted certification authority in many e-mail clients and web browsers . A user who establishes a connection to a server with a CAcert certificate will therefore receive a message that the origin of the certificate could not be verified. Similarly, you cannot check the email signature of a client certificate. However, the user can manually import the root certificates from CAcert and thus classify them as trustworthy, after which all valid certificates issued by CAcert are accepted without warning.

Attempts on the part of CAcert to be integrated into the free software of the Mozilla family (Firefox, Thunderbird) as a trustworthy publisher for a root certificate have so far been unsuccessful. The Mozilla Foundation has also publicly discussed the criteria for the inclusion of new root certs and, as a result, tightened them, although old certs are retained for practical reasons. An audit is now required that checks the organization, processes and technology; CAcert itself had an influence on the development of these criteria.

Due to restructuring in the direction of the organization CAcert end of April 2007, after 3 ¹ / ₂  years of discussion with the Mozilla Foundation , a short time the application for admission to the root chain of Mozilla products postponed. Since then, work has continued on the audit required for inclusion and on other quality assurance measures.

However, a number of other software products and open source distributions have integrated the CAcert root certificate.

Web links

Official website
Recording status
Interview with Henrik Heigl from CAcert , CRE No. 27, May 7, 2006
Podcast on the subject of CAcert , Hackerfunk radio broadcast from June 18, 2010, OGG audio file (Swiss German, 84 MB)
Certificates for everyone - CAcert issues secure Internet passports free of charge . Deutschlandfunk , March 24, 2007

Individual evidence

^ CAcert Incorporated in the ASIC National Names Index on ASIC Free Company Name Search , accessed September 12, 2013.
↑ CAcertInc in the CAcert Wiki, accessed on September 12, 2013.
↑ M. Deficiencies: secure-u ensures the operation of the CAcert-servers / secure-u secures the operation of the CAcert servers in the CAcert blog from August 25, 2013, accessed on September 12, 2013.
↑ ^a ^b CAcert Community Agreement on CAcert, accessed on February 26, 2015.
↑ Assurance Policy of January 8, 2009 on CAcert, accessed September 12, 2013.
^ Organization Assurance Policy (draft) on CAcert, accessed September 12, 2013.
↑ ^a ^b CAcert.org statistics on CAcert, accessed on September 12, 2013.
↑ Dispute Resolution Policy (draft) on CAcert, accessed September 12, 2013.
↑ [1] (information page on the Trusted Third Party Program) in the CAcert Wiki from September 16, 2013, accessed on October 16, 2015.
↑ Mozilla CA Certificate Policy (Version 2.2) on Mozilla, accessed September 12, 2013.
^ Frank Hecker: CAcert root cert inclusion into browser . Bugzilla @ Mozilla, April 19, 2006 (English); Retrieved September 12, 2013.
↑ Nick Bebout: CAcert root cert inclusion into browser . Bugzilla @ Mozilla, April 27, 2007 (English); Retrieved September 12, 2013.
↑ InclusionStatus ( Memento of the original from August 26, 2009 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. on CAcert Wiki, accessed September 12, 2013. @1@ 2

[asic-1] CAcert Incorporated in the ASIC National Names Index on ASIC Free Company Name Search , accessed September 12, 2013.

[cacert-inc-2] CAcertInc in the CAcert Wiki, accessed on September 12, 2013.

[secure-u-3] M. Deficiencies: secure-u ensures the operation of the CAcert-servers / secure-u secures the operation of the CAcert servers in the CAcert blog from August 25, 2013, accessed on September 12, 2013.

[cca-4] CAcert Community Agreement on CAcert, accessed on February 26, 2015.

[ap-5] Assurance Policy of January 8, 2009 on CAcert, accessed September 12, 2013.

[oap-6] Organization Assurance Policy (draft) on CAcert, accessed September 12, 2013.

[stats-7] CAcert.org statistics on CAcert, accessed on September 12, 2013.

[drp-8] Dispute Resolution Policy (draft) on CAcert, accessed September 12, 2013.

[ttp-9] [1] (information page on the Trusted Third Party Program) in the CAcert Wiki from September 16, 2013, accessed on October 16, 2015.

[mozillaPolicy-10] Mozilla CA Certificate Policy (Version 2.2) on Mozilla, accessed September 12, 2013.

[bugzilla1-11] Frank Hecker: CAcert root cert inclusion into browser . Bugzilla @ Mozilla, April 19, 2006 (English); Retrieved September 12, 2013.

[bugzilla2-12] Nick Bebout: CAcert root cert inclusion into browser . Bugzilla @ Mozilla, April 27, 2007 (English); Retrieved September 12, 2013.

[inclusion-13] InclusionStatus ( Memento of the original from August 26, 2009 in the Internet Archive ) Info: The archive link was automatically inserted and not yet checked. Please check the original and archive link according to the instructions and then remove this notice. on CAcert Wiki, accessed September 12, 2013. @1@ 2