Digital Certificates and CAcert

Digital Certificates and CAcert

What are digital certificates?

Digital certificates are electronic proofs of identity which are used for secure communication. They enable a user to ascertain the identity of their communication partner and to establish an encrypted link. This is used amongst others in email and the encrypted access to web pages. In the same way electronic documents (e.g. pdf or code) can be signed by a certificate, so it can be verified that the document really originates from the issuer and was not tampered with after the signing. Usually such certificates can be bought at Certificate Authorities for some time span.

What is a Certificate Authority?

Such certificates are issued by "Certificate Authorities", or "CAs". These institutions verify the identity of the person or organisation for which the certificate is being issued. With the issuing the CA confirms the identity of the owner of the certificate and permit a third party to identify a communication partner.

What is CAcert?

CAcert is a unique Certificate Authority: it is an Open Community project, supported by the incorporated association CAcert Inc., which is based in Australia. The objective of CAcert is to promote the use of electronic certificates in private and commercial areas and to provide the users with certificates free of charge.

CAcert differs from commercial CAs mainly in that the certificates are issued free of charge and the verification of identity works in a distributed system which resembles the "web of trust" in cryptographic software such as GPG. CAcert operates 100% voluntarily and depends on donations.

How is the identity checked at CAcert?

To get a full certificate from CAcert, CAcert has to check the identity of the applicant. This process is known as assurance. For that the applicant has to contact assurers, who meet the applicant at face-to-face meetings and verify his or her identity based on official documents. Records of the meetings are kept on a points system on CAcert's web site, and when the required number of points is reached, named certificates can be issued for the applicant and GPG keys can be signed.

The proof of identity is done normally by official government-issued photographic ID documents such as passports, drivers licences, and identity cards,. This is done by the assurers very carefully. Only if valid credible proofs can be shown, the assurance can be done.

Can I trust CAcert?

The system of CAs is based on the trust you have in the assertion of the CA. If this is not fulfilled, you cannot accomplish a secure identification. CAcert reveals all practices and policies and permits so every user to judge its trustworthiness.

Link to policies and manuals [1]

Root Certificate

All recent browsers (Chrome, Firefox, Internet Explorer, Safari) and email clients (Thunderbird, Outlook, Windows Mail) have a pre-installed list of so-called "root" certificates. These pre-installed root certificates only enable a secure communication, and they allow the software to check the authenticity of the signature. The software producer gives as a default a list of assumedly trustworthy CAs. Whether this is true, have the users to decide themselves. At present CAcert is not yet included by default in the popular browsers like Firefox, Internet Explorer, Safari, though work is in progress on changing this. In the meantime you can add the root certificates yourself. [2]

[1] (to be added)