• AssuranceHandbook2

CAcert assurer handbook

This is still a draft and is thought for internal use only! Please correct and complete it so it is soon useful for our new assurers.

---

• Table of Contents

  Contents

  1. CAcert assurer handbook
     1. Introduction
        1. Overriding Documents
        2. Your obligations as an Assurer
        3. Your risks and liabilities
     2. The Assurance Procedure
        1. Make yourself known as a CAcert assurer
        2. Preparing yourself for an assurance
        3. The meeting
        4. After the meeting
        5. What about that CAP form?
        6. Fees
     3. The Standard of Assurance
        1. Minor Variations
        2. Major Variations
     4. Frequently encountered situations
        1. Transliterations
        2. Middle names and Initials
        3. Multiple Names, Pseudonyms
     5. Some more information on CAcert
        1. What is CAcert
        2. What is the goal of CAcert?
        3. What is the difference to other CAs?
        4. Arbitration
        5. How is privacy protected?
        6. Is CAcert included in browsers by default?
        7. How many people use CAcert?
        8. Point scheme
     6. Some technical aspects
        1. What are public and private keys?
        2. What is a digital signature?
        3. What is a certificate
        4. What can I do with certificates issued by CAcert
        5. Does CAcert use OCSP?
        6. Where can I get more help with technical problems
     7. Appendix
        1. Hints for organizing events
        2. Help & Support

Introduction

This handbook is intended for fresh CAcert assurers. It should give you a first guide on what to do and what to know when acting as a CAcert assurer, and serve as a starting point for more in depth research on specific topics.

Overriding Documents

Although this document can be considered to be your working "Assurer's bible", there are several other documents of importance. Especially,

• Assurance Policy is the ruling document that establishes the Assurance system. Its purpose is to deliver an Assurance that works for certificates, as per the CPS. It authorises this Handbook as ourvalid and current practice. WIP

• the Certification Practice Statement (CPS, Work-In-Progress) is the ruling document for how certificates are issued. The section 3.2.2. Authentication of Individual Identity links to this Assurance Policy (above) in order to state what it is that members may rely upon when using certificates. WIP

• Organisation Assurance Policy is the authority on Assurance on Organisations. POLICY

• Every Member of CAcert (and therefore every Assurer) is bound by the CAcertCommunityAgreement. POLICY

A word on Policies

This Handbook is not a policy, but a working practices guide. In the case of contradictions, policies are the final authority, so this Handbook has to conform to those documents. If you find such contradictions please make them known to CAcert's policy mailing list at [ cacert-policy@lists.cacert.org ].

Other policies and documents of CAcert can be found at OfficialDocument. The work of creating policies is controlled by Policy on Policy and is conducted in the open at CAcert's policy mailing list at [ cacert-policy@lists.cacert.org ]; any Member may join and contribute. When documents are still being written they are referred to as work-in-progress or WIP, above. When approved in DRAFT, they are binding on the community, but still being finalised. When fully approved they are marked as POLICY and are officially published on the controlled website at https://www.cacert.org/policy.

All policies have an effect on assurance, although they may not address assurance explicitly. For example, the Privacy Policy also has some impact on the process.

Your obligations as an Assurer

• You have to conduct Assurances according to the rules given in the policies, especially the Assurance Policy.

• You have to keep yourself informed about changes in CAcert policies.

Some easy ways to keep you informed about important changes in the policies are

• Subscribe to cacert@lists.cacert.org Mailinglist. It is comperativly low-volume.

• Occasionally browse the CAcert Blog or subscribe the RSS feed.

• Retry the AssurerChallenge once a year.

Your risks and liabilities

By joining CAcert you accept the CAcert Community Agreement (CCA), which defines the risks and liabilities of CAcert members. You should be very familiar with this document so that you can understand these risks and liabilities, for yourself, and for any new and prospective Members that ask questions about the issues.

There is both good news and bad news: The CCA places a limit on monetary liability to you of 1.000 EUR (one thousand Euros). Each member accepts Arbitration, which is our system to keep disputes internal, rather than expose our members to courts in far away lands, expensive lawyers, and judgements that might not fully appreciate what certificates are about. The limit of liability is balanced across the Community, as it applies to you as well as to anyone who has a dispute with you, so it is both a maximum to protect you, and a liability directly to you.

Therefore, you should always be careful when doing Assurances, because you can be held responsible by the Arbitrator up to this limit!

The Assurance Procedure

The assurance procedure is the one crucial point in the whole CAcert project. If the assurances are conducted in a reliable way, members will be able to usefully rely on the CAcert certificates. If assurances are made superficially, this reliance will fail and the project will go down the drain. So we all depend on you!

The following procedure is a proposal. You may alter the process, but then you have to make sure that your process conforms to CAcert's CPS!

Make yourself known as a CAcert assurer

Probably the best way to do this is to enter a location into your profile and allow your entry to be shown in the users list. Other ways, like advertising yourself among your friends and colleagues, are left at your discretion.

Preparing yourself for an assurance

Now let's assume that someone has contacted you and asks you to assure his or her identity for CAcert. There are other ways to do a correct assurance, but this is a good way to start with.

Print out a pre-filled CAP form

First of all you should check whether the applicant already has an account at CAcert. Go to https://secure.cacert.org/wot.php?id=5 and enter the applicant's mail address. If the email was correct you will be shown the interactive assurance form. Do not fill out anything at this time! Just use one of the links at the bottom to open and print out a PDF document containing the pre-filled CAP form.

If the email address is not found within the system, ask the Member to give you the primary email address for the account.

Non-Members

If the user has not yet created the account, you will not be able to find it. In this case, the user is not yet a Member, and you should ask her to create her account and become a Member before doing the Assurance.

In some circumstances, such as mass Assurance Events like CeBIT or a chance meeting, it may be reasonable to do the Assurance in advance of the user becoming a Member. However, this should be avoided where possible, as there are some security and legal risks if a person is assured first and the account is created later. For instance, the user will not have had time to read the CCA, which she could more easily do online or later on (at these events, always have copies of the CCA to hand out).

Suggested Procedure: In the case where you decide to go ahead and do the Assurance with a non-Member, in advance of account creation and full acceptance of the CCA, follow this procedure in order to protect the non-Member and yourself:

• the member-to-be ticks the "I agree to CCA" statement over her signature,

• you mark it pending account creation.

• you give her a copy of the CCA, or tell her where to find it.

• give her your email address so that she can instruct you to destroy the form if she chooses not to agree and become a Member.

In this way, you indicate that the member-to-be will have time later on to read the CCA, and on account creation, she will confirm her agreement. If the account is never created, the agreement is null and void, and your CAP can be marked so or destroyed. Meanwhile, you and her have both agreed to conduct the Assurance under CAcert's policies and dispute resolution procedures.

Inform yourself about the documents the applicant wants to present

You should ask the applicant which ID document s/he wants to present. Remind him/her that you have to see the originals of at least one (two are preferred!) photo IDs, at least one of them has to be government issued containing the birthdate. If s/he wants to present unusual or foreign documents please inform yourself in advance about how this documents should look like. You may use the page AcceptableDocuments as a starting point for such a research.

Maybe ask the applicant to check expiry dates of the documents, so s/he does not leave you in the difficult situation to decide whether expired documents are valid.

Plan the meeting

You have to meet the applicant face to face and shake hands with him/her. No assuring on the phone, not even via video phones!

So you have to find a meeting place. If your employer tolerates this, your office may be a good meeting point. Of course you can meet at your home if you want to. Otherwise some not too crowded pub would be a nice place.

Take the pre filled CAP form to the meeting, and don't forget a ballpen, since the applicant has to sign the form!

The meeting

Please try to make sure that you are not in a hurry during the meeting. You should have at least five minutes to check the documents and let the applicant sign the form! Take your time.

Shake hands with the applicant, maybe give him/her a nice smile. Check that the data contained in the documents (that is names and birthdate) is identical to that on the pre filled CAP form. Let the applicant sign the CAP form and note the kind of presented documents (like passport, ID-card, driver's license) on it.

Have a little chat with the applicant, if time permits and both parties are interested.

Some points to keep in mind:

• Picture
  • In some countries driver's licenses never expire so you have to be aware of very old pictures and signatures.
• Signature
  • it is preferable that the customer makes her/his signature on the form while the assurer is watching. If the form is already signed ask the applicant to repeat the signature somewhere else on the form.
  • if the customer's signature is not recognizable ask him to sign comparable to the signature on the document (sometimes newer bankcards are good indication if the signature changed dramatically).
  • if any document is not signed please ask the customer to sign it now.
• Security Features
  • stamp must be seamless on picture and document
  • holograms
  • special printing techniques like fineprint and colors
  • special paper

  • human readable data should match the machine readable zone on the document.

  • watermarks
• Expiration date
  • driver's licenses often have none (depends on the country).
  • passport usually has one (typically 10 years)
  • expired documents are acceptable as indication, you may reduce the points you give.
  • you should inform the customer if documents will expire soon.
  • Do date of issue and expiring date make sense and result in a sensible validity duration (i.e. 10 years).
• Date of birth
  • don't get confused by the different formats all over the world. Check your input twice if the formats are the same on the form, the documents and the webinterface. If the date in the webinterface is wrong, it must be changed BEFORE you can give the points.
  • does the DoB make sense?

  • children also can be assured, there is no minimum age (in fact there is, since the CAP form must be signed by the child and not its parent... And acceptable photo IDs are seldomly issued to infants under 10). Question: Is this official policy? Does it make sense to assure children at infant age? The reason I'd not assure infants (let's say till age of 14) is that they can protect their credentials against theft even worse than most grown ups.

• Test Questions:
  • One or more names
  • place of birth
  • artist name (offically recognised alternate names a person uses)
  • place of issue

After the meeting

If you did notice anything unusual, make some notes on the backside of the CAP form. Things you should note include (but are not restricted to):

• very unusual documents
• very old or worn documents
• if something "just didn't feel right"
• the applicant tried to hurry you through the process
• Something unexpected did happen

Those notes might help you to remember what happened later, just in case a dispute is filed and someone asks you about details of the meeting.

Now login to the CAcert website, go to https://secure.cacert.org/wot.php?id=5 once again and enter the applicants email. Now fill out the assurance form, check the data once again and issue your points if there are no reasons against. If the situation was not ideal you should give less points, see PolicyDrafts/IdChecking for some guidelines about the number of points to give.

Please do not issue 0 points in the form, zero points are reserved for special occasions (there is still some discussion about exactly which occations). If there are serious doubts do not complete the assurance form! Also, if you cannot make any statement about the candidate, for example because you cannot read those chinese characters at all, or you have no idea about the issuing country, do not complete the form.

Remember the following issues:

• do not log in from a Computer which is not secure (possibly has any malware like viruses and trojans on it).
• do not use other people's computers unless you are sure that you can trust them. If in doubt do it from a Live-CD like knoppix.

• use an up-to-date browser and go to https://www.cacert.org/.

• FOR SECURITY REASONS: LOGOFF AND CLOSE THE BROWSER WHEN WORK IS DONE.

• If someone tried to use faked IDs or otherwise tried to obtain an assurance by fraud, send a mail about what happened to [ abuse@cacert.org ].

What about that CAP form?

As well as the Assurance details, the CAP form (short for CAcert Assurance Programme form) must contain:

• applicant's signature made by his/her own hand.

• applicant's permission to conduct the Assurance.
• applicant's acceptance of the CCA and thus the risks, liabilities and obligations of membership.
• Your own signature and agreement.

For a normal one-way Assurance, cross out the fields for your email address and Date of Birth, as desired. For a mutual Assurance, fill them in. If the other Member is not an Assurer as yet, then you keep the CAP form(s) on her behalf (and take responsibility for both Assurances) which is why the form itself has both sets of details on it.

As it is stated on the form you have to securely keep that paper CAP form for at least seven years. You are personally responsible for that! It is your evidence that you followed CAcert's policy and that you met the applicant in person (face to face).

For data protection and privacy reasons no-one else should have access to the CAP forms, once completed. Do not scan the CAP form and keep it electronically. CAcert's Assurance is deliberately designed to create a paper foundation on which digital certificates are issued; by maintaining a base of paper, the digital framework is strongly constructed with a classical legal foundation. Not only does scanning weaken that foundation, you may also violate data protection laws on electronic data storage.

In the case of a dispute you may be requested to send the original paper form to a CAcert Arbitrator. If you find yourself unable to keep the CAP forms for whatever reason, file a dispute at support@cacert.org, explain the circumstances, and request the Arbitrator to provide instructions.

Sending CAP forms to CAcert by request

This paragraph is still preliminary and contains some assumptions that are not verified. Please use them as food for thought about the issue.

An Arbitrator may request you to send CAP forms to CAcert, maybe because there was a complaint about a certificate or just as part of a quality assurance process. CAP forms contain personal data, so the requestor has to be authorized to see them and you have to make sure that noone else can read that data.

• Verify that the requestor's email is @cacert.org. No other TLD (like .com, .net etc) is allowed!
• The request will be sent to you either signed by a CAcert verified PGP key or using a CAcert-issued S/MIME certificate. Please ensure that the certificate is valid and issued/signed by CAcert.

• If you do not know how to reliably verify a signature please ask someone for help on on IRC (irc://irc.cacert.org/cacert or irc://irc.cacert.org/cacert.ger) or one of the mailinglists (like mailto:cacert@lists.cacert.org or mailto:cacert-de@lists.cacert.org). This is not a trivial task, don't just trust your mailer's icon!

• Usually you are requested to send a scan of the CAP form. Please make sure that you send the image using an encrypted mail. If you cannot send it encrypted for any reason, send a copy of the form via paper mail. After you confirm receipt of the scanned CAP form, delete your digital copy carefully.
• If you are requested to send in the original CAP form, keep a copy of it in your documents. N.B.: I have not heard of this being requested, but it may be necessary some time.

• If you have any doubts about a request ask for help. Once again, try IRC or mailing list(s)! If the request tries to discourage you from getting help (stating it a top secret business or something like that) there's something fishy about the request!

Fees

• Certificates are free! Customer create them themselves using the web interface.

• Assurances may cost money but the price has to be set out before the meeting. Otherwise it must be done at no charge.

• If you choose demand money for the assurance, keep it to a sensible amount of "expense recovery". If the applicant visits you, something between 5 and 15 EUR seems sensible in central europe. If you visit an applicant yourself you may add travel expenses.
• Note: if you demand money for the service of assurance this may make you a commercial service provider. Which, in turn, may have other legal concequences (like paying taxes, the need for a trade licence or such things), depending on the laws of your country!

The Standard of Assurance

IMHO this paragraph still needs some work to be less confusing for newbie (and experienced) assurers. The CAP links to this handbook for a definition of the "Standard of Assurance", so it has to be done. I'm still thinking about it, if you have an idea feel free to propose it. BernhardFröhlich

Also, see PolicyDrafts/AssurancePolicy as a wip ... which should nail down the Standard of Assurance ... once and for all iang.

PolicyDrafts/IdChecking gives two different suggestions to the number of points to be awarded for an Assurance

The approximate standard for an Assured User is:

1. at least one government-issued photo ID containing the date of birth must be verified
2. must have been verified by at least two Assurers. Exeptions see below in "Major Variations"

A standard verification is performed by an Assurer as such:

1. The Assurer and the User meet face-to-face.
2. The Assurer verifies the following forms of identification:
   1. At least one government-issued photo ID. Acceptable forms include Passports, Drivers Licenses and National Identity Cards
   2. If possible one of the following:
      • A second government-issued photo ID.
      • A government-issued ID without a photo.
3. The Assurer records the Authoritive Name as found on the forms of identification. The Authoritive Name of a User means as indicated in government-issued documents, and sufficiently narrow as to make dispute resolution feasible.
4. Authoritive Name, email address and date of birth is the current policy (see Assurance forms). Identity numbers are not to be stored ever due to problems with liability and the potential to cause ID theft.
5. the Assurer matches the Authoritive Name recorded above to the User's recorded Name in their CAcert account.
6. each Assurer allocates points to the user according to quality of the documentation in (2) above, and the Assurer's level.

In general, an Assurer can award no more than 35 points. A user becomes an assured User if s/he has been awarded at least 50 points.

At 100 points the user may become an Assurer by successfully completing the AssurerChallenge.

Minor Variations

An Assurer controls minor variation, such as poor quality ID or missing ID, by reducing points.

Major Variations

Three Major Variations exist to the above

• the TTP programme, see FAQ/AssuranceByTTP

• the Super-Assurer programme, see SuperAssurers

• the Organisation Assurance programme, see OrganisationAssurance.

Frequently encountered situations

More information on name matching can be found at PolicyDrafts/PolicyOnNames.

Transliterations

Usual transliterations, missing accents and similar things are accepted. So if the ID doc says "André Müller" but the name in the account is "Andre Mueller" that's ok.

Note that the reason for accepting plain ASCII representations of non-ASCII characters are usual restrictions of computer environments. Therefore it is not accepted to assure someone as "Müller" if the ID documents contain "Mueller".

Still it's not defined how names of other character sets (like for example Cyrillic or Hebrew) should be handled. Transliteration rules can be found at http://en.wikipedia.org/wiki/Transliteration

Middle names and Initials

Middle names are optional in the CAcert Account. So someone called "Bernhard Andreas Fröhlich" may create his account as "Bernhard Fröhlich", "Andreas Fröhlich" or "Bernhard Andreas Fröhlich". Initials are deprecated, but are currently tolerated, so if the said person would use the name "Bernhard A. Fröhlich" this would currently be OK. This may change in the future, so keep your eyes open.

But remember, you may not assure an Account with a name you did not see on at least one ID document! If all ID docs state "Bernhard Fröhlich", assuring him as "Bernhard Andreas Fröhlich" is prohibited!

If the name on the presented ID documents is not identical to that on the CAP form it is the best to note the name as exactly as possible somewhere on the paper, including all given/middle names. If the account is disputed later then you can remember the exact name you've seen.

Multiple Names, Pseudonyms

According to the WIP PolicyDrafts/AssurancePolicy multiple names are accepted, if matching ID documents can be presented. But currently the CAcert software cannot handle them.

Some more information on CAcert

You are CAcert's "face to the customer". So you should be able to give at least some basic information about CAcert itself.

What is CAcert

CAcert is a non profit association incorporated in Australia. It is supported by a growing community of assurers (like you) who are part of a "Web-of-Trust" for identity verifications.

What is the goal of CAcert?

• make security affordable and available for everyone.
• secure the internet an increase trustworthiness.
• privacy through encryption.
• security through authentication.

For more information see http://svn.cacert.org/CAcert/principles.html.

What is the difference to other CAs?

• CAcert separates assurance (confirmation of identity) from the issuing of the certificates. Thereby the identity only has to be confirmed once to make as many certificates as needed and whenever wanted.
• CAcert is independent from commercial CA's.
• Most other Web of Trust based free CA's only issue client certificates, but no server certificates.

Arbitration

Arbitration is CAcert's main channel for dealing with anything unexpected or unusual that might go wrong. This includes complaints about inappropriate conduct of an Assurance, invalid or inappropriate data in any member account, or inappropriate usage of certificates. Indeed, just about anything may be disputed, and the policy documents often defer difficult issues by simply saying file a dispute. In this way, the policy documents and Arbitration work hand-in-hand: Policy handles the expected and the easy; Arbitration handles the unexpected and the hard, and both of them together provide the foundation for all work done in CAcert.

As a part of accepting the CAcert Community Agreement (CCA), every member accepts Arbitration according to CAcert's Dispute Resolution Policy (DRP). Anyone who has a complaint about anything relating to CAcert may file a Dispute by sending a mail to mailto:support@cacert.org. You will be notified of any dispute via your primary email address, so you are required in CCA to keep this working.

Once a dispute is filed and notified, an Arbitrator is chosen by CAcert from amongst our own senior and experienced Assurers. Arbitrators are strongly familiar with the policies, rules, principles, customs and specialities of CAcert. As an Assurer, you should be somewhat familiar with the rules, and at the least, know where to find them so as to answer basic questions from members.

The process of an Arbitration is this, in brief:

1. the Arbitrator looks at the situation by means of evidence,

2. applies the policies and rules, and if necessary the law (of NSW, Australia), and
3. delivers a ruling.

The ruling is binding on you, all members, and CAcert itself. It is generally published so that all the Community can watch and govern the system, and we can improve our policies and practices over time.

As we use Arbitration for all sorts of unusual and difficult questions, being named in an Arbitration is no bad thing, in and of itself; indeed, it is a mark of experience to participate. One day, you may be asked to sit as an Arbitrator, and this will likely require you to have been named in Arbitrations. You can find more details and many references at our ArbitrationForum.

Background to Alternative Dispute Resolution

CAcert has introduced Arbitration as a protection for its members.

Normally, if something goes terribly wrong, you might be dragged into a civil court to face a lawsuit. Especially, as CAcert provides certificates making statements about people across the world, it is highly likely that any lawsuit would be filed in a country far away. In your country, the system of justice may have a reputation for looking after you, but this is not true of all places. At a minimum, remote systems of justice will be difficult and expensive for you to understand and navigate, even if they are fair. As well, there will be expensive lawyers, and you may be hit with a harsh judgement that does not fully appreciate what certificates are about and what we as a Community are about. Even if the court rules in your favour, it could be a Phyrric victory, one that you could not afford.

Therefore, instead of using the courts, we agree to deal with all our disputes internally. The authority for this is found under the Arbitration Act in each country, and in the clause in the CCA:

3.2  Arbitration as Forum of Dispute Resolution

You agree, with CAcert and all of the Community, that all disputes arising out of or in connection to our use of CAcert services shall be referred to and finally resolved by Arbitration under the rules within the Dispute Resolution Policy of CAcert (DRP => COD7). The rules select a single Arbitrator chosen by CAcert from among senior Members in the Community. The ruling of the Arbitrator is binding and final on Members and CAcert alike. 

You should be familiar with that clause and how to explain it to new and prospective Members.

Most countries have Arbitration Acts in place as law (see for example the German Arbitration Act) that permits and even encourages internal Arbitration such as ours. This makes sense where a local or specialised community might have a better understanding of their own conventions and rules, where international affairs make it impractical to choose a neutral or cost-effective court, and where the real natures of the disputes do not justify the expense of the courts (and especially the lawyers).

These aspects are a natural fit for CAcert because we are in a complex international environment of Assurances, the Internet and certificates. The Arbitration Act provides us with a way to deal with any disputes internally, rather than going to courts, which likely are in far away countries, involve expensive lawyers, and have little knowledge of the process of certificates. Hence, we achieve a balanced and cost-effective legal approach across the entire Community, which applies to you as well as every other member, and to CAcert itself.

In the event of any lawsuit filed against you in relation to your CAcert activities, you should ask the court to refer the case back to Arbitration, citing the above clause and Act. There is no guarantee that a case will be so referred, and criminal cases are not referred, but as a matter of public policy courts will routinely refer cases back to Arbitration where this was the agreement.

The intent to protect you and all members. This means that, in order to protect other members, an Arbitration case may result in some penalty imposed upon you if the Arbitrator finds that you were acting against CAcert's policies, rules and/or principles! See DRP section on remedies for more details.

How is privacy protected?

• Forms stay with the assurer and are only forwarded to CAcert under special circumstances.
• From the outside it is not evident who assured whom.
• CAcert will not give any data to third persons or third parties, except when ordered by an Arbitrator during dispute resolution.

For more details look at the official privacy policy at http://www.cacert.org/index.php?id=10

Is CAcert included in browsers by default?

• Please see: http://wiki.cacert.org/wiki/InclusionStatus

How many people use CAcert?

• for current data please see http://www.cacert.org/stats.php

Point scheme

• 0-49 points: This person is not assured and his/her name won't be included in certificates. Also this certificates will expire after maximum 6 month. With more than 0 points, the personal details can't be changed anymore by oneself.
• 50 points: "assured" the name can be added to the certificate. The server certificates are valid for 2 years. You can get a signed PGP/GPG key.

• 100 points: "fully assured" the maximum number of points one can get from other Assurers. Code signing authorisation may be requested. You may become an Assurer by passing the AssurerChallenge.

• 150 points: "fully assured" maximum points you can get. You get 2 points for each assurance you complete.
• 200 points: "superassurer" temporary status for very special events. One needs 150 points and the agreement of two board members

Note: The meaning of the points is different below and above 100 points. Below 100 the number of points show the amount of trust CAcert has in your identity. The points above 100 make some statement about your experience as an Assurer, so they are sometimes called Experience Points.

Currently points acquired do not "expire" or "decay", but this might be changed in the future.

Table of issueable points

For every assurance one gets 2 points up to the maximum of 150 points.

Some technical aspects

While assuring people they may ask you some technical questions. Just to help you to pose as a real crack, here are some basics.

What are public and private keys?

"Public key cryptography" works with pairs of public and private keys. Each key can be used to encrypt data that can be decrypted by someone with the other of the other part of the key.

The public part is made available as broadly as possible since this is the one that can be used to encrypt data that only the owner of the private key can decrypt. It also allows decryption of data which has been encrypted by the private key.

So if you want to send someone an encrypted message you need your partner's public key. If you loose your private key you cannot decrypt messages sent to you any more.

By encrypting a document's hash value with your private key you can create a digital signature, which everyone can verify using yur public key.

The public part of the key can be created from the private key, but the public part does not allow to anyone to guess the corresponding private key. Or better, it is really very very hard to guess the private key from the public part if the private key is "big enough".

What is a digital signature?

A digital signature is a kind of "seal" attached to a document that guarantees that the signed document has not been changed since the creation of the signature and it guarantees that it was created by someone who has access to the corresponding private key.

Technically speaking it is a hash value of the document encrypted by the private key of the signer. There are many different ways on how to implement this in details.

What is a certificate

A certificate in this context is a "document" containing a public key and some informations about the owner of this key, which is signed by a Certification Authority ("CA"). A typical CA defines the exact meaning of a certificate, for example who can get one and what checks are made, in its "Certificate Practice Statement" (CPS).

In theory you should examine a CA's CPS very closely before deciding whether to trust this CA's certificates or not.

Certificates following the X509 standard, like those issued by CAcert, contain an issuing date and an expiry date as well as hashes (or "data fingerprints") used to validate the certificate. In addition CAcert's certificate can include some information about the user, like his/her name or eMail-address, if the user requests inclusion of this information.

What can I do with certificates issued by CAcert

Secure web servers

You can generate certificates for https servers. Though at the moment CAcert's root is not included in standard Mozilla and Internet Explorer, it is already included in several Unix-like distributions.

And it's easy to install CAcert's root certificates manually.

X509 Client certificates

These can be used to encrypt and/or digitally sign emails. They may also used as a way of authenticating with web servers, like the certificate login on CAcerts website or VPN servers.

Code signing and IDN certificates

You can generate certificates for code signing and IDN (International Domain Names). Due to the increased possibilities for abuse those certificates have additional requirements. You need at least 100 points and you have to send a copy of your Photo ID to CAcert.

OpenPGP signatures

Get your PGP keys signed by CAcert's key. This should considerably increase the trust in your PGP key since many people trust CAcert's signature.

Does CAcert use OCSP?

Yes, CAcert offers online certification verification via the OnlineCertificateStatusProtocol: http://ocsp.cacert.org/

Where can I get more help with technical problems

Try http://wiki.cacert.org/wiki/CAcert as a starting point.

Appendix

Hints for organizing events

• Have a look at EventOrganisation. Topic's the same, another author, maybe there are some useful hints not covered here.

• There should be enough assurers on the event for assurees to reach 50 points at any time, if possible even 100 points. Try a post at cacert@lists.cacert.org or cacert-de@lists.cacert.org to find more assurers.

• On the Systems 2006, a medium sized trade fair, I made 32 assurances during one day, with 2-4 other assurers present who made probably about the same amount. I guess about 50 assurances per day would be the maximum possible per assurer on a small booth. Just to give you an order of magnitude.

• Place a notification of the event on CACert's homepage by creating an entry for your event in the CACert blog http://blog.cacert.org/, contact is PRO@cacert.org

• Maybe send a mailing at potential assurees who want to receive notifications. Contact support@cacert.org for this.

• If possible get some "Marketing Material" and some CAcert logos, as big as possible, preferably coloured. But an A4 monochrome laser printout is better than nothing, it's a community project after all, isn't it? Have a look at http://ivamp.de/cert/ for some material in geman.

• Forms and ballpoint pens must be available. You can get the forms from http://www.cacert.org/cap.php (Hint: maybe use it as test printing page for printer companies... ).

• If possible (most time it isn't, since boothes typically are small) try to have a printer at the booth and a possibility to print out pre-filled CAP-forms. Printed forms are considerably easier to read than hand-written ones. Have a look at cap.html Copy it to your computer, replace my name, my location and the other specifics with your data and open it with any browser to get a form for simple generation of pre-filled PDF-files. Let the user enter his/her name, birthdate and email and print the form, so you can be quite sure that you will be able to read the information once you're back home.

• A laptop or other computer with internet access is a great thing to have present, even if there's no printer. You can show interested people the CAcert homepage and how to use it. But avoid to log on to your CAcert account, or let other people create accounts on the fly. Usually it is too simple to watch someone entering passwords or otherwise abuse a logged on account during a typical event!
• Be prepared that probably most people won't have a CAcert account before meeting you. You can still fill out the CAP form, do the document checking and issue the points once the account is created, but there are some things to remember:
  • Many handwritings are hard to read. If you have any doubts copy the data yourself to the free area at the bottom of the CAP form.

  • Have some "business cards" ready containing (at least) your email and CAcerts Home-URL (http://www.cacert.org). They do not have to be professionally designed cards, a small piece of paper is good enough. Hand them to assured persons so they can notify you once they have created their new account. Or just for the case you forgot them.

  • The new account must be created with the same data (Name, Date of birth, email) as noted on the CAP form. Otherwise the new account could be forged by someone else watching the Assurance!

  • If you are notified that the new account has been created it's important to compare the data of the account with the data printed or written on the CAP form. Do not issue your points if you don't have the CAP form present to compare the data. There may have been a simple typo during the registration process, and once such an account is given points things get more complicated!
  • If someone complains that s/he cannot create a CAcert account do not simply assume that the one made a mistake (though that's the most probable case). Try to help the person or find someone on IRC or the mailing lists to help her/him. There is the (quite remote) possibility that someone watching the Assurance has created an account for the applicant's email...

Help & Support

 CAcert Headquarter
 P.O. Box 4107
 Denistone East NSW 2112
 AU- Australia

 support (at) cacert.org

 CAcert support Austria:
 http://www.cacert.at/
 office@cacert.at

On the internet:

Wiki: http://wiki.cacert.org/

Chat: irc.cacert.org

• #cacert english channel
• #cacert.ger german language channel

If you do not know how to use an ircclient you may also try the CAcert Web IRC or Webchaton

• SSL version (prefered) https://irc.cacert.org/ non-SSL version http://irc.cacert.org/

• http://cacert.noxlux.de