česky | english
To CAcert.org Education & Training - To CAcert.org Education & Training Overview
To Assurance Policy - To Assurance Handbook
Some more information on CAcert
You are CAcert's "face to the customer". So you should be able to give at least some basic information about CAcert itself.
What is CAcert
CAcert is a non profit association incorporated in Australia. It is supported by a growing community of assurers (like you) who are part of a "Web-of-Trust" for identity verifications.
What is the goal of CAcert?
CAcert is a community of like-minded people working to improve our security, generally circulating around PKI technology based on x.509 "certificates" and PGP's web-of-trust.
CAcert does not have a formal or agreed mission or goal. Some of these might apply, and have been discussed from time to time:
- make security affordable and available for everyone.
- secure the Internet and increase trustworthiness.
- provide privacy through encryption.
- provide security through authentication.
For more information see the Principles of the Community.
What is the difference to other CAs?
- CAcert separates assurance (confirmation of identity) from the issuing of the certificates. Thereby the identity only has to be confirmed once to make as many certificates as needed and whenever wanted.
- CAcert is a "non-profit" community of volunteers. It is independent from commercial CA's.
- Some CAs issue free certs, and some use a WoT, but they tend to only issue low-level client certificates, but no server certificates or strongly verified certs. These free certs are intended to drive you to their CA so they can sell you higher value products. There is nothing wrong with that (your supermarket does the same thing) but it might not be appropriate to your needs.
Arbitration is CAcert's main channel for dealing with anything unexpected or unusual that might go wrong. This includes complaints about inappropriate conduct of an Assurance, invalid or inappropriate data in any member account, or inappropriate usage of certificates, but also unclear policies or practices. Indeed, just about anything may be disputed, and the policy documents often defer difficult issues by simply saying file a dispute. In this way, the policy documents and Arbitration work hand-in-hand: Policy handles the expected and the easy; Arbitration handles the unexpected and the hard, and both of them together provide the foundation for all work done in CAcert.
As a part of accepting the CAcert Community Agreement (CCA), every member accepts Arbitration according to CAcert's Dispute Resolution Policy (DRP). Anyone who has a complaint about anything relating to CAcert may file a Dispute by sending a mail to mailto:firstname.lastname@example.org. You will be notified of any dispute via your primary email address, so you are required in CCA to keep this working.
How does Arbitration work?
Once a dispute is filed and notified, an Arbitrator is chosen by CAcert from amongst our own senior and experienced Assurers. Arbitrators are strongly familiar with the policies, rules, principles, customs and specialties of CAcert. As an Assurer, you should be somewhat familiar with the rules, and at the least, know where to find them so as to answer basic questions from members.
The process of an Arbitration is this, in brief:
the Arbitrator looks at the situation by means of evidence,
- applies the policies and rules, and if necessary the law (of NSW, Australia), and
- delivers a ruling.
The ruling is binding on you, all members, and CAcert itself. It is generally published so that all the Community can watch and govern the system, and we can improve our policies and practices over time.
As we use Arbitration for all sorts of unusual and difficult questions, being named in an Arbitration is no bad thing, in and of itself; indeed, it is a mark of experience to participate. One day, you may be asked to sit as an Arbitrator, and this will likely require you to have been named in Arbitrations already. You can find more details and many references at our ArbitrationForum.
Background to Alternative Dispute Resolution
CAcert has introduced Arbitration as a protection for its members.
Normally, if something goes terribly wrong, you might be dragged into a civil court to face a lawsuit. Especially, as CAcert provides certificates making statements about people across the world, it is highly likely that any lawsuit would be filed in a country far away. In your country, the system of justice may have a reputation for looking after you, but this is not true of all places. At a minimum, remote systems of justice will be difficult and expensive for you to understand and navigate, even if they are fair. As well, there will be expensive lawyers, and you may be hit with a harsh judgment that does not fully appreciate what certificates are about and what we as a Community are about. Even if the court rules in your favour, it could be a Phyrric victory, one that you could not afford.
Therefore, instead of using the courts, we agree to deal with all our disputes internally. The authority for this is found under the Arbitration Act in each country, and in the clause in the CCA:
3.2 Arbitration as Forum of Dispute Resolution You agree, with CAcert and all of the Community, that all disputes arising out of or in connection to our use of CAcert services shall be referred to and finally resolved by Arbitration under the rules within the Dispute Resolution Policy of CAcert (DRP => COD7). The rules select a single Arbitrator chosen by CAcert from among senior Members in the Community. The ruling of the Arbitrator is binding and final on Members and CAcert alike.
You should be familiar with that clause and how to explain it to new and prospective Members.
Most countries have Arbitration Acts in place as law (see for example the German Arbitration Act (The text of this act, entered into force on 1998-01-01, is integrated into the Code of Civil Procedure, Book 10, Article 1025 ff)) that permits and even encourages internal Arbitration such as ours. This makes sense where a local or specialised community might have a better understanding of their own conventions and rules, where international affairs make it impractical to choose a neutral or cost-effective court, and where the real natures of the disputes do not justify the expense of the courts (and especially the lawyers).
These aspects are a natural fit for CAcert because we are in a complex international environment of Assurances, the Internet and certificates. The Arbitration Act provides us with a way to deal with any disputes internally, rather than going to courts, which likely are in far away countries, involve expensive lawyers, and have little knowledge of the process of certificates. Hence, we achieve a balanced and cost-effective legal approach across the entire Community, which applies to you as well as every other member, and to CAcert itself.
In the event of any lawsuit filed against you in relation to your CAcert activities, you should ask the court to refer the case back to Arbitration, citing the above clause and Act. There is no guarantee that a case will be so referred, and criminal cases are not referred, but as a matter of public policy courts will routinely refer cases back to Arbitration where this was the agreement.
The intent is to protect you and all members. This means that, in order to protect other members, an Arbitration case may result in some penalty imposed upon you if the Arbitrator finds that you were acting against CAcert's policies, rules and/or principles! See DRP section on remedies for more details.
How is privacy protected?
- Forms stay with the assurer and are only forwarded to CAcert under special circumstances.
- From the outside it is not evident who assured whom, the online system keeps that information private.
- CAcert will not give any data to third persons or third parties, except when ordered by an Arbitrator during dispute resolution.
Is CAcert included in browsers by default?
Please see: InclusionStatus
How many people use CAcert?
- for current data, go to the website, click on About CAcert.org at the right, then on CAcert Statistics. Do this manually, the link isn't published because the statistics collection is live and this slows the server down a lot.
Some technical aspects
While assuring people they may ask you some technical questions. Just to help you to pose as a real crack, here are some basics.
What are public and private keys?
"Public key cryptography" works with pairs of public and private keys. Each key in the pair can be used to encrypt data that can be decrypted only by someone with the other key. By convention, one of the pair is designated the "public key", and the other is designated the "private key".
The private key is kept secret and protected. It is never shared.
The public key is made available as broadly as possible since this is the one that can be used to encrypt data that only the owner of the private key can decrypt. It also allows decryption of data which has been encrypted by the private key.
So if you want to send someone an encrypted message you need your partner's public key. If you loose your private key you cannot decrypt messages sent to you any more.
By encrypting a document's hash value with your private key you can create a digital signature, which everyone can verify using your public key.
The public part of the key can be created from the private key (really?), but the public part does not allow anyone to guess the corresponding private key. Or better, it is really very very hard to guess the private key from the public part if the private key is "big enough".
What is a digital signature?
A digital signature is a kind of "seal" attached to a document that guarantees that the signed document has not been changed since the creation of the signature and it guarantees that it was created by someone who has access to the corresponding private key.
Technically speaking it is a hash value of the document encrypted by the private key of the signer. There are many different ways to implement this.
What is a certificate
A certificate in this context is a "document" containing a public key, some information about the owner of this key, and a signature from a Certification Authority ("CA").
Certificates following the X509 standard (including those issued by CAcert) contain issuing and expiry dates, hashes (or "data fingerprints") used to validate the certificate, and a unique serial number. In addition, certificates generally include some information about the user, such as the name or email address.
What can I do with a certificate?
Typically, the certificate represents a claim made by the CA over the "subject" of the certificate, e.g., an individual or organisation. A CA defines the exact meaning of a certificate in its documentation. For example, who can get one, what checks are made, and what you can do with this information. In order to know what to do with a certificate, you should examine the documentation carefully:
the "Certificate Practice Statement" (CPS) generally states the meaning of the certificate and what checks are made to support this meaning. In theory, you should examine a CA's CPS very closely before deciding what to do with any given CA's certificates. For CAcert, look for the relying party statement and then look at the Assurance Policy to see what the source of that information is.
the "Relying Party Agreement" (RPA) is where the legal info is, and in particular whether you have the right to do so. For CAcert, this is the CAcert Community Agreement.
errrr ... the certificate certifies something, the "subject" of the certificate. Ordinarily this is the e-mail address of the owner, and name if s/he has enough assurance points, or the web address/domain of a web server. The last sentence of the previous paragraph makes it seem that both e-mail address and name are optional for a client certificate, when in fact at least one should be there, otherwise what is the certificate certifying?
[iang] ... the assumption that the certificate "certifies" something has to be treated with care. What does that mean, and who can rely on that? I've tried to unravel this from the contents of the certificate, above. The other question of whether there is a use for a "null certificate" or one without name or email address ... then becomes easier to deal with. For CAcert's case it is somewhat irrelevant, and this would make a good CATS question
What can I do with certificates issued by CAcert
Secure web servers
You can generate certificates for https servers. Though at the moment CAcert's root is not included in standard Mozilla and Internet Explorer, it is already included in several Unix-like distributions.
And it's easy to install CAcert's root certificates manually.
X509 Client certificates
These can be used to encrypt and/or digitally sign emails. See ClientCerts for our growing list of places you can yse your client cert. They may also used as a way of authenticating with web servers, like the certificate login on CAcerts website or VPN servers.
Code signing and IDN certificates
If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names).
Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.
Get your PGP keys signed by CAcert's key. This should considerably increase the trust in your PGP key since many people trust CAcert's signature.
Does CAcert use OCSP?
CAcert offers online certification verification via the Online Certificate Status Protocol. Whether your applications actually use it, is another question.
Where can I get more help with technical problems
Best places for technical help are the wiki and IRC, see the #Appendix below.
Help & Support
In order to advise users on their options, you should know about these:
- mailing list cacert-support /at/ lists.cacert.org
- support (at) cacert.org .
documentation located at the CAcert wiki: http://wiki.cacert.org/
- Chat/IRC forum at: irc.cacert.org
- #cacert english channel
- #cacert.ger german language channel
SSL version (prefered) https://irc.cacert.org/ non-SSL version http://irc.cacert.org/
- If you do not know how to use an ircclient you may also try the CAcert Web IRC or Webchaton
Support is maintained by the Support Team, as directed under Security Policy Section 8. The Channels of support are listed in the Security Manual.
- As an Assurer, you should consider joining the support mailing list and helping out. Or, hang around the IRC chat room.