CAcert.org
{{short description|Certificate authority}}
{{Infobox company
| name = CAcert Inc.
| logo =
| logo_size =
| type = Nonprofit organization
| founder = Duane Groth
| foundation = {{Start date|2003|07|24|df=yes}}
| location_city = Geneva
| location_country = Switzerland
| industry = Certificate authority
| area_served = World
| homepage = {{URL|www.cacert.org}}
}}
CAcert.org is a community-driven certificate authority that issues free X.509 public key certificates.{{Cite web|url=http://wiki.cacert.org/FAQ/AboutUs|title=FAQ/AboutUs - CAcert Wiki|website=wiki.cacert.org|accessdate=September 24, 2019}} CAcert.org relies heavily on automation and therefore issues only Domain-validated certificates (and not Extended validation or Organization Validation certificates).
These certificates can be used to digitally sign and encrypt email; encrypt code and documents; and to authenticate and authorize user connections to websites via TLS/SSL.
CAcert Inc. Association
On 24 July 2003, Duane Groth incorporated CAcert Inc. as a non-profit association registered{{Cite web|url=http://wiki.cacert.org/CAcertInc?action=show&redirect=Brain%2FCAcertInc|title=CAcertInc - CAcert Wiki|website=wiki.cacert.org|accessdate=September 24, 2019}} in New South Wales, Australia and after, in September 2024, moved to Europe in Geneva, Switzerland. CAcert Inc runs CAcert.org—a community-driven certificate authority.
In 2004, the Dutch Internet pioneer Teus Hagen became involved. He served as board member and, in 2008, as a president.{{Cite web|url=https://nlnet.nl/people/TeusHagen/|title=NLnet; Teus Hagen|website=nlnet.nl|accessdate=September 24, 2019}}
Certificate Trust status
CAcert.org's root certificates are not included in the most widely deployed certificate stores{{Cite book|last1=Oppliger|first1=Rolf|date=2014|title=Secure Messaging on the Internet. |page=171|isbn=978-1-60807718-2|publisher=Artech House |location=Boston/London|oclc=9227277768}} and has to be added by its customers.{{Cite book|last1=Turnbull|first1=James|last2=Matotek|first2=Dennis|last3=Lieverdink|first3=Peter|date=2009|title=Pro Linux System Administration |page=474|isbn=978-1-43021913-2|publisher=Apress |location=|oclc=}} As of 2021, most browsers, email clients, and operating systems do not automatically trust certificates issued by CAcert. Thus, users receive an "untrusted certificate" warning upon trying to view a website providing X.509 certificate issued by CAcert, or view emails authenticated with CAcert certificates in Microsoft Outlook, Mozilla Thunderbird, etc. CAcert uses its own certificate on its website.
= Web browsers =
Discussion for inclusion of CAcert root certificate in Mozilla Application Suite and Mozilla Firefox started in 2004. Mozilla had no CA certificate policy at the time. Eventually, Mozilla developed a policy which required CAcert to improve their management system and conduct audits. In April 2007, CAcert formally withdrew its application for inclusion in the Mozilla root program.{{Cite web|title=215243 - CAcert root cert inclusion into browser|url=https://bugzilla.mozilla.org/show_bug.cgi?id=215243|accessdate=September 24, 2019|website=bugzilla.mozilla.org}} At the same time, the CA/Browser Forum was established to facilitate communication among browser vendors and Certificate Authorities. Mozilla's advice was incorporated into "baseline requirements" used by most major browser vendors. Progress towards meeting these requirements can hardly be expected in the near future.
= Operating systems =
FreeBSD included CAcert's root certificate but removed it in 2008, following Mozilla's policy.{{cite web|author=FreeBSD Security Officer|date=29 June 2008|title=ca-roots|url=http://www.freshports.org/security/ca-roots/|accessdate=16 December 2013|website=FreshPorts|quote=The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project.}} In 2014, CAcert was removed from Ubuntu,{{cite web|author=Luke Faraone|date=5 December 2013|title=CAcert should not be trusted by default|url=https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1258286|accessdate=14 March 2014|website=Ubuntu Launchpad Bug report logs}} Debian,{{cite web|author=Jake Edge|date=March 18, 2014|title=Debian and CAcert|url=https://lwn.net/Articles/590879/|publisher=LWN.net}} and OpenBSD{{cite mailing list|url=https://marc.info/?l=openbsd-cvs&m=139705404731140|mailing-list=openbsd-cvs|title=CVS: cvs.openbsd.org: src|first=Stuart|last=Henderson|date=9 April 2014|accessdate=8 September 2019|via=MARC}} root stores. In 2018, CAcert was removed from Arch Linux.{{Cite web|title=FS#59690 : [ca-certificates] Reconsider CAcert inclusion|url=https://bugs.archlinux.org/task/59690|accessdate=September 24, 2019|website=bugs.archlinux.org}}
As of Feb 2022, the following operating systems or distributions include the CAcert root certificate by default:{{Cite web|title=CAcert inclusion status page|url=http://wiki.cacert.org/InclusionStatus|url-status=dead|archive-url=https://web.archive.org/web/20210508183356/http://wiki.cacert.org/InclusionStatus|archive-date=2021-05-08|access-date=2021-04-24|website=cacert.org}}
- Arch Linux
- FreeWRT
- Gentoo (app-misc/ca-certificates only when USE flag cacert is set, defaults OFF from version 20161102.3.27.2-r2 )
- GRML
- Knoppix
- Mandriva Linux
- MirOS BSD
- Openfire
- Privatix
- Replicant (Android)
As of 2021, the following operating systems or distributions have an optional package with the CAcert root certificate:
Web of trust
{{Main|Web of trust}}
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities.{{Cite book|last1=Butcher|first1=Matt|date=2007|title=Mastering OpenLDAP: Configuring, Securing, and Integrating Directory Services.|page=|isbn=978-1-84719103-8|publisher=Packt Publishing|location=Birmingham, UK|oclc=488331349}}{{Cite book|last1=Burns|first1=Bryan|last2=Killion|first2=Dave|last3=Beauchesne|first3=Nicolas|date=2007|title=Security Power Tools|page=512|isbn=978-059655481-1|publisher=O'Reilly Media|location=|oclc=}} CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge[http://www.cacert.org/policy/AssurancePolicy.php Assurance Policy], section 2.3.—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
CAcert sponsors key signing parties, especially at big events such as CeBIT and FOSDEM.
As of 2021, CAcert's web of trust has over 380,000 verified users.{{Cite web|title=Welcome to CAcert.org|url=http://www.cacert.org/stats.php|url-status=live|website=www.cacert.org|accessdate=April 24, 2021|archive-url=https://web.archive.org/web/20050204070956/http://www.cacert.org:80/stats.php |archive-date=2005-02-04 }}
Root certificate descriptions
Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.{{Cite web|url=http://wiki.cacert.org/FAQ/TechnicalQuestions#CAcert_Class_3_certificates|title=FAQ/TechnicalQuestions - CAcert Wiki|website=wiki.cacert.org|accessdate=September 24, 2019}}
See also
- Let's Encrypt
- [http://wiki.cacert.org/ CAcert wiki]
Further reading
- {{Cite book|last1=Smith|first1=Curtis|date=25 September 2006|title=Pro Open Source Mail: building an enterprise mail solution|page=132|isbn=978-1-59059-598-5|publisher=Apress|location=Berkeley, Calif.|oclc=255341703}}
- {{Cite web|last1=Herong|first1=Yang|date=2020|title=PKI Tutorials - Herong's Tutorial Examples|page=|isbn=|publisher=|location=Durham, NC|url=https://www.herongyang.com/PKI/}}
References
{{reflist}}
{{DEFAULTSORT:Cacert.Org}}
Category:Cryptography organizations
Category:Certificate authorities