Ĩesky | english

Some more information on CAcert

You are CAcert's "face to the customer". So you should be able to give at least some basic information about CAcert itself.

What is CAcert

CAcert is a non profit association incorporated in Australia. It is supported by a growing community of assurers (like you) who are part of a "Web-of-Trust" for identity verifications.

What is the goal of CAcert?

CAcert is a community of like-minded people working to improve our security, generally circulating around PKI technology based on x.509 "certificates" and PGP's web-of-trust.

CAcert does not have a formal or agreed mission or goal. Some of these might apply, and have been discussed from time to time:

For more information see the Principles of the Community.

What is the difference to other CAs?


Arbitration is CAcert's main channel for dealing with anything unexpected or unusual that might go wrong. This includes complaints about inappropriate conduct of an Assurance, invalid or inappropriate data in any member account, or inappropriate usage of certificates, but also unclear policies or practices. Indeed, just about anything may be disputed, and the policy documents often defer difficult issues by simply saying file a dispute. In this way, the policy documents and Arbitration work hand-in-hand: Policy handles the expected and the easy; Arbitration handles the unexpected and the hard, and both of them together provide the foundation for all work done in CAcert.

As a part of accepting the CAcert Community Agreement (CCA), every member accepts Arbitration according to CAcert's Dispute Resolution Policy (DRP). Anyone who has a complaint about anything relating to CAcert may file a Dispute by sending a mail to mailto:support@cacert.org. You will be notified of any dispute via your primary email address, so you are required in CCA to keep this working.

How does Arbitration work?

Once a dispute is filed and notified, an Arbitrator is chosen by CAcert from amongst our own senior and experienced Assurers. Arbitrators are strongly familiar with the policies, rules, principles, customs and specialties of CAcert. As an Assurer, you should be somewhat familiar with the rules, and at the least, know where to find them so as to answer basic questions from members.

The process of an Arbitration is this, in brief:

  1. the Arbitrator looks at the situation by means of evidence,

  2. applies the policies and rules, and if necessary the law (of NSW, Australia), and
  3. delivers a ruling.

The ruling is binding on you, all members, and CAcert itself. It is generally published so that all the Community can watch and govern the system, and we can improve our policies and practices over time.

As we use Arbitration for all sorts of unusual and difficult questions, being named in an Arbitration is no bad thing, in and of itself; indeed, it is a mark of experience to participate. One day, you may be asked to sit as an Arbitrator, and this will likely require you to have been named in Arbitrations already. You can find more details and many references at our ArbitrationForum.

Background to Alternative Dispute Resolution

CAcert has introduced Arbitration as a protection for its members.

Normally, if something goes terribly wrong, you might be dragged into a civil court to face a lawsuit. Especially, as CAcert provides certificates making statements about people across the world, it is highly likely that any lawsuit would be filed in a country far away. In your country, the system of justice may have a reputation for looking after you, but this is not true of all places. At a minimum, remote systems of justice will be difficult and expensive for you to understand and navigate, even if they are fair. As well, there will be expensive lawyers, and you may be hit with a harsh judgment that does not fully appreciate what certificates are about and what we as a Community are about. Even if the court rules in your favour, it could be a Phyrric victory, one that you could not afford.

Therefore, instead of using the courts, we agree to deal with all our disputes internally. The authority for this is found under the Arbitration Act in each country, and in the clause in the CCA:

3.2  Arbitration as Forum of Dispute Resolution

You agree, with CAcert and all of the Community, that all disputes arising out of or in connection to our use of CAcert services shall be referred to and finally resolved by Arbitration under the rules within the Dispute Resolution Policy of CAcert (DRP => COD7). The rules select a single Arbitrator chosen by CAcert from among senior Members in the Community. The ruling of the Arbitrator is binding and final on Members and CAcert alike. 

You should be familiar with that clause and how to explain it to new and prospective Members.

Most countries have Arbitration Acts in place as law (see for example the German Arbitration Act (The text of this act, entered into force on 1998-01-01, is integrated into the Code of Civil Procedure, Book 10, Article 1025 ff)) that permits and even encourages internal Arbitration such as ours. This makes sense where a local or specialised community might have a better understanding of their own conventions and rules, where international affairs make it impractical to choose a neutral or cost-effective court, and where the real natures of the disputes do not justify the expense of the courts (and especially the lawyers).

These aspects are a natural fit for CAcert because we are in a complex international environment of Assurances, the Internet and certificates. The Arbitration Act provides us with a way to deal with any disputes internally, rather than going to courts, which likely are in far away countries, involve expensive lawyers, and have little knowledge of the process of certificates. Hence, we achieve a balanced and cost-effective legal approach across the entire Community, which applies to you as well as every other member, and to CAcert itself.

In the event of any lawsuit filed against you in relation to your CAcert activities, you should ask the court to refer the case back to Arbitration, citing the above clause and Act. There is no guarantee that a case will be so referred, and criminal cases are not referred, but as a matter of public policy courts will routinely refer cases back to Arbitration where this was the agreement.

The intent is to protect you and all members. This means that, in order to protect other members, an Arbitration case may result in some penalty imposed upon you if the Arbitrator finds that you were acting against CAcert's policies, rules and/or principles! See DRP section on remedies for more details.

How is privacy protected?

For more details look at the privacy policy and also the last section of the Assurance Policy 7. Privacy.

Is CAcert included in browsers by default?

How many people use CAcert?

Some technical aspects

While assuring people they may ask you some technical questions. Just to help you to pose as a real crack, here are some basics. ;-)

What are public and private keys?

"Public key cryptography" works with pairs of public and private keys. Each key in the pair can be used to encrypt data that can be decrypted only by someone with the other key. By convention, one of the pair is designated the "public key", and the other is designated the "private key".

The private key is kept secret and protected. It is never shared.

The public key is made available as broadly as possible since this is the one that can be used to encrypt data that only the owner of the private key can decrypt. It also allows decryption of data which has been encrypted by the private key.

So if you want to send someone an encrypted message you need your partner's public key. If you loose your private key you cannot decrypt messages sent to you any more.

By encrypting a document's hash value with your private key you can create a digital signature, which everyone can verify using your public key.

The public part of the key can be created from the private key (really?), but the public part does not allow anyone to guess the corresponding private key. Or better, it is really very very hard to guess the private key from the public part if the private key is "big enough".

What is a digital signature?

A digital signature is a kind of "seal" attached to a document that guarantees that the signed document has not been changed since the creation of the signature and it guarantees that it was created by someone who has access to the corresponding private key.

Technically speaking it is a hash value of the document encrypted by the private key of the signer. There are many different ways to implement this.

What is a certificate

A certificate in this context is a "document" containing a public key, some information about the owner of this key, and a signature from a Certification Authority ("CA").

Certificates following the X509 standard (including those issued by CAcert) contain issuing and expiry dates, hashes (or "data fingerprints") used to validate the certificate, and a unique serial number. In addition, certificates generally include some information about the user, such as the name or email address.

What can I do with a certificate?

Typically, the certificate represents a claim made by the CA over the "subject" of the certificate, e.g., an individual or organisation. A CA defines the exact meaning of a certificate in its documentation. For example, who can get one, what checks are made, and what you can do with this information. In order to know what to do with a certificate, you should examine the documentation carefully:

errrr ... the certificate certifies something, the "subject" of the certificate. Ordinarily this is the e-mail address of the owner, and name if s/he has enough assurance points, or the web address/domain of a web server. The last sentence of the previous paragraph makes it seem that both e-mail address and name are optional for a client certificate, when in fact at least one should be there, otherwise what is the certificate certifying?

[iang] ... the assumption that the certificate "certifies" something has to be treated with care. What does that mean, and who can rely on that? I've tried to unravel this from the contents of the certificate, above. The other question of whether there is a use for a "null certificate" or one without name or email address ... then becomes easier to deal with. For CAcert's case it is somewhat irrelevant, and this would make a good CATS question :)

What can I do with certificates issued by CAcert

Secure web servers

You can generate certificates for https servers. Though at the moment CAcert's root is not included in standard Mozilla and Internet Explorer, it is already included in several Unix-like distributions.

And it's easy to install CAcert's root certificates manually.

X509 Client certificates

These can be used to encrypt and/or digitally sign emails. See ClientCerts for our growing list of places you can yse your client cert. They may also used as a way of authenticating with web servers, like the certificate login on CAcerts website or VPN servers.

Code signing and IDN certificates

If you are an Assurer, you can get certificates signed/issued by CAcert for code signing and IDNs (International Domain Names).

Due to the increased possibilities for abuse those certificates have additional requirements. The CPS states that this requires Assurer level, which you meet if you are reading this Handbook. However note that as of 20091106, there is a move to reduce these requirements. Watch this space.

OpenPGP signatures

Get your PGP keys signed by CAcert's key. This should considerably increase the trust in your PGP key since many people trust CAcert's signature.

Does CAcert use OCSP?

CAcert offers online certification verification via the Online Certificate Status Protocol. Whether your applications actually use it, is another question.

Where can I get more help with technical problems

Best places for technical help are the wiki and IRC, see the #Appendix below.


Help & Support

In order to advise users on their options, you should know about these:

AssuranceHandbook2/SomeMoreInformation (last edited 2016-02-20 12:25:00 by ReinhardMutz)