CAcert is a community-operated, non-profit Certification Authority (CA) operated by the Geneva-based non-profit organization CAcert Incorporated, formerly registered in Australia. CAcert issues X.509 certificates free of charge for various purposes and is intended to be an alternative to the commercial certificate authorities, some of which charge quite high fees for their certificates.
As a Certificate Authority, CAcert plays a crucial role in establishing trust and authenticity in the digital world. Digital certificates issued by CAcert are used to verify the identity of websites, servers, and individuals, as well as to encrypt data transmitted over the internet, ensuring confidentiality and integrity.
Key Aspects of CAcert
CAcert operates based on a community-driven model, with volunteers contributing to the verification and assurance processes. Community members participate in the process of verifying the identity of certificate applicants and vouching for their trustworthiness, establishing a network of trust within the CAcert community. It is committed to promoting privacy, security, and freedom on the internet, aligning closely with the values of the open-source and free software movements. Its services are designed to empower individuals and organizations to protect their online privacy and security without compromising on freedom.
---
It relies on the Web of Trust (WoT) model to establish trust among its users. In the WoT model, trust is built through personal relationships and endorsements within the community, rather than relying solely on centralized authority or hierarchy. No membership in the association is required to issue certificates. Instead, users of CAcert certificates are organized into a network of trust (Web of Trust). For this purpose, each user maintains a user account with their full name, date of birth and e-mail address. In addition to an access password, users must also set five security questions, the correct answers to which only they know. In case of loss of password, these questions must be answered correctly in order to gain access to the user account.
Each account has a points balance associated with it. The number of points ranges from 0 to a maximum of 150 points and represents the trustworthiness of the personal data contained in the certificates. Points can be earned by meeting the members of the Web of Trust in person, verifying their identity, confirming it to CAcert and thus receiving a certain number of points.
CAcert operates its own certificate hierarchy, with its root certificate being cross-signed by Class 1 and Class 3 root certificates. This allows CAcert to issue certificates that are recognized and trusted by web browsers and other software applications, ensuring compatibility and interoperability. It offers a range of services, including SSL/TLS certificates for securing websites and servers, S/MIME certificates for encrypting and digitally signing emails, code signing certificates for software developers, and client certificates for authenticating users accessing secure online services.
Certificate Issued By CAcert
Immediately after registering the user account, any number of certificates can be issued immediately. These contain only the e-mail address verified by an automatic test e-mail, the common name is “CAcert WoT User”. After obtaining at least 50 points, personalized certificates can also be issued with a registered name. In addition to issuing certificates, PGP or OpenPGP keys can also be signed by the CA.
Client certificates
In addition to the primary e-mail address of the user account, other e-mail addresses can be entered. Certificates can be issued for each email address, or several in combination. They are used, for example, to encrypt and sign emails and other data, and can be used for passwordless authentication to servers – the CAcert website itself supports this login with certificate. From a score of 100, certificates can also be issued on request, which can be used to sign software (code signing).
Server certificates
Server certificates are intended to confirm the affiliation of a server to a person or a company and serve as the basis for encrypted SSL/TLS connections. There are several services that use server certificates. These include, but are not limited to, HTTPS, SFTP, SMTPS, POP3S, and IMAPS. CAcert also offers such certificates, but they initially only contain the domain name and no information about the person or organization, which allows encryption, but no identity confirmation. With the Organization Assurance, however, there is also the possibility for organizations to have their identity checked by specially trained CAcert members. The organizational data can then be included in server certificates.
Identity Verification
In the case of commercial certificate issuers, identity verification usually takes place centrally at the issuer. CAcert delegates this task (assurance) to the network of trust: An experienced user who has successfully passed at least 100 points and an online “Assurer test” (Assurer) verifies the identity of another user (Assuree) at a personal meeting using officially issued photo IDs (e.g. identity card, passport, driver’s license, etc.) and may award up to 35 points in the event of success, which can be assigned to the Assuree via the CAcert website. The confirmation process is documented in writing and signed by the Assurer and Assuree; this “Identity Verification Form” (also known as the “CAP Form”) will subsequently be retained by the Assurer for at least seven years. In order to reach a level of 50 points, at least two confirmations by different assurers are required.
As an alternative, there is the “Trusted Third Party Program” (TTP), through which an audit by trusted third parties (notaries, banks, etc.) is possible. This program is intended to enable assurance in regions where the assurer density is still low, but currently only a maximum of 70 points can be achieved. At a score of 100 points, a member cannot receive any more points from other Assurers. However, 2 points will be credited for each self-made assurance. After the confirmation of 25 people, the maximum score of 150 points is reached; additional assurances do not further increase the number of points, but are still counted and registered, as an erroneous assurance can in principle be null and void by a conciliation decision.
Trustworthiness
Commercial providers cannot apply for certificates free of charge if the user’s name is included in the certificate. CAcert allows this, but unlike commercial CAs, CAcert is not listed as a trusted certificate authority in the certificate database in many email clients and web browsers. Therefore, a user who connects to a server with a CAcert certificate will receive a message that the origin of the certificate could not be verified. Similarly, you can’t check the email signature of a client certificate. However, the user can manually import the root certificates from CAcert and thus trust them, after which all valid certificates issued by CAcert will be accepted without warning.
Tagged With creaturehtu