|This article relies on references to primary sources. (April 2012)|
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012[update].
These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
CAcert Inc. Association
CAcert Inc. is an incorporated non-profit association registered in New South Wales (Australia) since July 2003 which runs CAcert.org. It has members living in many different countries and a board of 7 members.
CAcert automatically signs certificates for email addresses controlled by the requester and for domains for which certain addresses (such as "email@example.com") are controlled by the requester. Thus it operates as a robot certificate authority. These certificates are considered weak because CAcert does not emit any information in the certificates other than the domain name or email address (the CommonName field in X.509 certificates).
Web of trust
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
Root Certificate descriptions
Since October 2005, cacert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.
As of May 2013[update], certificates issued by CAcert are not as useful in web browsers as certificates issued by commercial CAs such as VeriSign, because most installed web browsers do not distribute CAcert's root certificate. Thus, for most web users, a certificate signed by CAcert behaves like a self-signed certificate. There was discussion for inclusion of CAcert's root certificate in Mozilla and derivatives (such as Mozilla Firefox) but CAcert withdrew its request for inclusion at the end of April 2007. This was after an audit was suspended in December 2006 because CAcert needed to improve their management system. There has been progress toward this and a new request for inclusion may be expected in the future. FreeBSD did include the root certificate but since removed it due to concerns by the FreeBSD Security Officer.
The following operating systems or distributions include the CAcert root certificate:
- Arch Linux
- Maemo (installed on Nokia Internet Tablets) (not on Nokia N900)
- Mandriva Linux
- MirOS BSD
- Ubuntu, Xubuntu, Kubuntu, Lubuntu (Not in CAcert inclusion list, but actually provided by package ca-certificates now.)
- Kali Linux (successor to BackTrack 5 linux security distribution)