CAcert.org
Nonprofit organization | |
Industry | Certificate authority |
Founded | 24 July 2003 |
Founder | Duane Groth |
Headquarters | Oatley, New South Wales, Australia |
Website |
www |
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public.[1] CAcert has over 334,000 verified users and has issued over 1,285,000 certificates as of July 2016.[2]
These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
CAcert Inc. Association
CAcert Inc. is an incorporated non-profit association registered[3] in New South Wales (Australia) since July 2003 which runs CAcert.org. It has members living in many different countries and a board of 7 members.[4]
Robot CA
CAcert, like most other CAs, automatically signs certificates for email addresses which are verified as belonging to the requester, and for domains for which certain email addresses (such as "hostmaster@example.com") are verified as belonging to the requester. Thus it operates as a robot certificate authority. These certificates may be considered weak given the fact that CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates). However an argument can be made that domain verification is the only element within a certificate that can be trusted and proven, and that the domain name is the key element on which a user should base their trust.
CAcert does not do Extended Validation certificates. That kind of certificate involves a non-automated verification of the identity of the requesting party, which may offer a false sense of security. The more important method of creating trust is that of verification of the domain itself.
Web of trust
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge[5]—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
CAcert sponsors key signing parties, especially at big events such as CeBIT and FOSDEM.
Root certificate descriptions
Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.[6]
Inclusion status
The habit to include a list of CAs in the browser was established with Netscape Navigator v.3.0.[7] It was 1996, the dawn of the first browser war, and little emphasis was put on the security implications of making such a list. The key concern was the users' ability to quickly access secured web pages, almost irrespectively of the signing CA.[8] Browsers needed to not skip any important CA included by their competitors.
CAcert arrived much later. Discussion for inclusion of its root certificate in Mozilla and derivatives (such as Mozilla Firefox) started in 2004. Mozilla had no CA certificate policy at the time. Eventually, they developed a policy which required that CAcert improved their management system and deepened their formal verifications, auditing in particular. CAcert withdrew its request for inclusion at the end of April 2007.[9] Progress toward Mozilla requirements and a new request for inclusion can hardly be expected in the near future.[10] At the same time, the CA/Browser Forum was established to allow peaceful discussion among browser producers. Mozilla's advice was adopted, and, in addition, Extended Validation Certificates began to be issued.
FreeBSD used to include CAcert root certificate but removed it in 2008 following Mozilla's policy.[11] In 2014 it was removed from Ubuntu[12] and Debian.[13]
The following operating systems or distributions include the CAcert root certificate, or have it available in an installable package:[14]
- Arch Linux
- Debian:[15] removed from jessie stable packages but it's available from backports.
- FreeWRT
- Gentoo (app-misc/ca-certificates only wen use flag cacert is set, defaults OFF from version 20161102.3.27.2-r2 )
- Maemo (installed on Nokia Internet Tablets) (not on Nokia N900)
- Knoppix
- Mandriva Linux
- MirOS BSD
- OpenBSD until 2014-04-09, when it was removed from cert.pem following a redistribution licence review
- openSUSE
- Kali Linux (successor to BackTrack 5 linux security distribution)
- Slackware
See also
References
- ↑ About CAcert
- ↑ CAcert usage statistics
- ↑ CAcertInc - CAcert Wiki
- ↑ CAcert Inc. Board of Directors
- ↑ Assurance Policy, section 2.3.
- ↑ FAQ/TechnicalQuestions - CAcert Wiki
- ↑ Simson Garfinkel; Gene Spafford (2002). Web Security, Privacy & Commerce. O'Reilly Media, Inc. ISBN 9780596000455.
Netscape Navigator Version 3.0 came preloaded with certificates for 16 CAs at 11 companies (AT&T, BBN, Canada Post Corporation, CommerceNet, GTE CyberTrust, Keywitness, MCI Mail, RSA, Thawte, U.S. Postal Service, and Verisign.)
- ↑ "Netscape Navigator 3.0 reviewer's guide". 1996. Archived from the original on 30 December 1996. Retrieved 22 February 2017.
Netscape Navigator allows you to connect to server sites whose certificates have been signed by unknown certifying authorities (CAs)
- ↑ Discussion by Mozilla on including CAcert root certificate
- ↑ CAcert audit comment on Mozilla
- ↑ FreeBSD Security Officer (29 June 2008). "ca-roots". FreshPorts. Retrieved 16 December 2013.
The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project.
- ↑ Luke Faraone (5 December 2013). "CAcert should not be trusted by default". Ubuntu Launchpad Bug report logs. Retrieved 14 March 2014.
- ↑ Jake Edge (March 18, 2014). "Debian and CAcert". LWN.net.
- ↑ CAcert inclusion status page
- ↑ "Debian -- Details of package ca-cacert in sid". Retrieved 1 January 2016.