This article relies too much on references to primary sources. (April 2012) (Learn how and when to remove this template message)
This article contains content that is written like an advertisement. (September 2018) (Learn how and when to remove this template message)
|Founded||24 July 2003|
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public. As of July 2016[update], CAcert had over 334,000 verified users and had issued over 1,285,000 certificates. CAcert.org heavily relies on automation and therefore issues only Domain-validated certificates (and not Extended validation or Organization Validation certificates).
These certificates can be used to digitally sign and encrypt email, to authenticate and authorize user connections to websites, and to secure transmissions over the Internet. Applications that support (SSL) can use certificates signed by CAcert, as can applications that use X.509 certificates, e.g. to encrypt or to sign code and documents.
CAcert Inc. Association
CAcert Inc. is an incorporated non-profit association registered in New South Wales (Australia) which runs CAcert.org -- a community-driven certificate authority. Its members live in various countries. Its board consists of 7 members. It was founded by Duane Groth in July 2003. In 2004, the Dutch Internet pioneer Teus Hagen became involved. He served as board member and, in 2008, as president.
Certificate Trust status
Since 29 August 2018, most browsers don't automatically trust certificates issued by CAcert. Thus, users receive a "untrusted certificate" warning upon trying to view a website that is signed by CAcert. For email use, MS Outlook doesn't automatically accept these certificates either. CAcert uses its own certificate on its website.
Web of trust
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
Root certificate descriptions
Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.
The convention of including a list of CAs in the browser was established with Netscape Navigator v.3.0. It was 1996, the dawn of the first browser war, and little emphasis was put on the security implications of making such a list. The key concern was the users' ability to quickly access secured web pages, almost irrespectively of the signing CA. Browsers needed to not skip any important CA included by their competitors.
CAcert arrived much later. Discussion for inclusion of its root certificate in Mozilla and derivatives (such as Mozilla Firefox) started in 2004. Mozilla had no CA certificate policy at the time. Eventually, they developed a policy which required that CAcert improved their management system and deepened their formal verifications, auditing in particular. CAcert withdrew its request for inclusion at the end of April 2007. Progress toward Mozilla requirements and a new request for inclusion can hardly be expected in the near future. At the same time, the CA/Browser Forum was established to allow peaceful discussion among browser producers. Mozilla's advice was adopted, and, in addition, Extended Validation Certificates began to be issued.
FreeBSD included CAcert's root certificate but removed it in 2008, following Mozilla's policy. In 2014, it was removed from Ubuntu, Debian, and OpenBSD. In 2018, it was removed from Arch Linux.
The following operating systems or distributions include the CAcert root certificate, or have it available in an installable package:
- Debian: removed from jessie stable packages but it's available from backports.
- Gentoo (app-misc/ca-certificates only when USE flag cacert is set, defaults OFF from version 2016122.214.171.124-r2 )
- Kali Linux (successor to BackTrack 5 linux security distribution)
- Maemo (installed on Nokia Internet Tablets) (not on Nokia N900)
- Mandriva Linux
- MirOS BSD
- "FAQ/AboutUs - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- "Welcome to CAcert.org". www.cacert.org. Retrieved September 24, 2019.
- "CAcertInc - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- "Brain/CAcertInc/Committee - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- "NLnet; Teus Hagen". nlnet.nl. Retrieved September 24, 2019.
- Assurance Policy, section 2.3.
- "FAQ/TechnicalQuestions - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019.
- Simson Garfinkel; Gene Spafford (2002). Web Security, Privacy & Commerce. O'Reilly Media, Inc. ISBN 9780596000455.
Netscape Navigator Version 3.0 came preloaded with certificates for 16 CAs at 11 companies (AT&T, BBN, Canada Post Corporation, CommerceNet, GTE CyberTrust, Keywitness, MCI Mail, RSA, Thawte, U.S. Postal Service, and Verisign.)
- "Netscape Navigator 3.0 reviewer's guide". 1996. Archived from the original on 30 December 1996. Retrieved 22 February 2017.
Netscape Navigator allows you to connect to server sites whose certificates have been signed by unknown certifying authorities (CAs)
- "215243 - CAcert root cert inclusion into browser". bugzilla.mozilla.org. Retrieved September 24, 2019.
- FreeBSD Security Officer (29 June 2008). "ca-roots". FreshPorts. Retrieved 16 December 2013.
The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project.
- Luke Faraone (5 December 2013). "CAcert should not be trusted by default". Ubuntu Launchpad Bug report logs. Retrieved 14 March 2014.
- Jake Edge (March 18, 2014). "Debian and CAcert". LWN.net.
- Henderson, Stuart (9 April 2014). "CVS: cvs.openbsd.org: src". openbsd-cvs (Mailing list). Retrieved 8 September 2019 – via MARC.
- "FS#59690 : [ca-certificates] Reconsider CAcert inclusion". bugs.archlinux.org. Retrieved September 24, 2019.
- "CAcert inclusion status page". Archived from the original on 2009-08-26. Retrieved 2007-01-04.
- "Debian -- Details of package ca-cacert in sid". Retrieved 1 January 2016.
- "Instructions". backports.debian.org. Retrieved September 24, 2019.