This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)(Learn how and when to remove this template message)
CAcert.org is a community-driven certificate authority that issues free public key certificates. As of July 2016[update], CAcert had over 334,000 verified users and had issued over 1,285,000 certificates. CAcert.org heavily relies on automation and therefore issues only Domain-validated certificates (and not Extended validation or Organization Validation certificates).
|Founded||24 July 2003|
These certificates can be used to digitally sign and encrypt email, to authenticate and authorize user connections to websites, and to secure transmissions over the Internet. Applications that support (SSL) can use certificates signed by CAcert, as can applications that use X.509 certificates, e.g. to encrypt or to sign code and documents.
CAcert Inc. AssociationEdit
On 24 July 2003, Duane Groth incorporated CAcert Inc. as an non-profit association registered in New South Wales (Australia). CAcert Inc runs CAcert.org -- a community-driven certificate authority.
Certificate Trust statusEdit
As of 2020, most browsers, email clients, and operating systems don't automatically trust certificates issued by CAcert. Thus, users receive a "untrusted certificate" warning upon trying to view a website that has TLS certificate issued by CAcert, or view emails signed with CAcert certificates in Microsoft Outlook, Mozilla Thunderbird.
CAcert uses its own certificate on its website.
The convention of including a list of CAs in the browser was established with Netscape Navigator v.3.0. It was 1996, the dawn of the first browser war, and little emphasis was put on the security implications of making such a list. The key concern was the users' ability to quickly access secured web pages, almost irrespectively of the signing CA.
Discussion for inclusion of its root certificate in Mozilla and derivatives (such as Mozilla Firefox) started in 2004. Mozilla had no CA certificate policy at the time. Eventually, they developed a policy which required that CAcert improved their management system and deepened their formal verifications, auditing in particular. In April 2007, CAcert withdrew its application for inclusion in Mozilla root program. Progress toward Mozilla requirements and a new request for inclusion can hardly be expected in the near future. At the same time, the CA/Browser Forum was established to allow peaceful discussion among browser producers. Mozilla's advice was adopted, and, in addition, Extended Validation Certificates began to be issued.
FreeBSD included CAcert's root certificate but removed it in 2008, following Mozilla's policy. In 2014, CAcert removed from Ubuntu, Debian, and OpenBSD root stores. In 2018, CAcert was removed from Arch Linux.
The following operating systems or distributions include the CAcert root certificate, or have it available in an installable package:
- Gentoo (app-misc/ca-certificates only when USE flag cacert is set, defaults OFF from version 20161188.8.131.52-r2 )
- Kali Linux (successor to BackTrack 5 linux security distribution)
- Maemo (installed on Nokia Internet Tablets) (not on Nokia N900)
- Mandriva Linux
- MirOS BSD
Web of trustEdit
To create higher-trust certificates, users can participate in a web of trust system whereby users physically meet and verify each other's identities. CAcert maintains the number of assurance points for each account. Assurance points can be gained through various means, primarily by having one's identity physically verified by users classified as "Assurers".
Having more assurance points allows users more privileges such as writing a name in the certificate and longer expiration times on certificates. A user with at least 100 assurance points is a Prospective Assurer, and may—after passing an Assurer Challenge—verify other users; more assurance points allow the Assurer to assign more assurance points to others.
As of 2020, CAcert's web of trust has over 378,000 verified users.
Root certificate descriptionsEdit
Since October 2005, CAcert offers Class 1 and Class 3 root certificates. Class 3 is a high-security subset of Class 1.
- "FAQ/AboutUs - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- "Welcome to CAcert.org". www.cacert.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- "CAcertInc - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- "NLnet; Teus Hagen". nlnet.nl. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- Simson Garfinkel; Gene Spafford (2002). Web Security, Privacy & Commerce. O'Reilly Media, Inc. ISBN 9780596000455.
Netscape Navigator Version 3.0 came preloaded with certificates for 16 CAs at 11 companies (AT&T, BBN, Canada Post Corporation, CommerceNet, GTE CyberTrust, Keywitness, MCI Mail, RSA, Thawte, U.S. Postal Service, and Verisign.)
- "Netscape Navigator 3.0 reviewer's guide". 1996. Archived from the original on 30 December 1996. Retrieved 22 February 2017.
Netscape Navigator allows you to connect to server sites whose certificates have been signed by unknown certifying authorities (CAs)
- "215243 - CAcert root cert inclusion into browser". bugzilla.mozilla.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- FreeBSD Security Officer (29 June 2008). "ca-roots". FreshPorts. Retrieved 16 December 2013.
The ca_root_ns port basically makes no guarantees other than that the certificates comes from the Mozilla project.CS1 maint: discouraged parameter (link)
- Luke Faraone (5 December 2013). "CAcert should not be trusted by default". Ubuntu Launchpad Bug report logs. Retrieved 14 March 2014. CS1 maint: discouraged parameter (link)
- Jake Edge (March 18, 2014). "Debian and CAcert". LWN.net.
- Henderson, Stuart (9 April 2014). "CVS: cvs.openbsd.org: src". openbsd-cvs (Mailing list). Retrieved 8 September 2019 – via MARC. CS1 maint: discouraged parameter (link)
- "FS#59690 : [ca-certificates] Reconsider CAcert inclusion". bugs.archlinux.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)
- "CAcert inclusion status page". Archived from the original on 2009-08-26. Retrieved 2007-01-04.
- "Debian -- Details of package ca-cacert in sid". Retrieved 1 January 2016. CS1 maint: discouraged parameter (link)
- Assurance Policy, section 2.3.
- "FAQ/TechnicalQuestions - CAcert Wiki". wiki.cacert.org. Retrieved September 24, 2019. CS1 maint: discouraged parameter (link)