CAcert - Free security for the world!

Posted on: Thu, 22 Mar 2007 22:30 By: patrick

Have you ever created a self-signed digital certificate, or created your own pseudo Certificate Authority (CA) so that you could issue your own certificates? Have you done so because you did not want to buy these certificates from VeriSign or some other commercial CA for an exorbitant annual fee? Were you annoyed that web browsers and other client software displayed alarm messages when they encountered your own, "cheaply manufactured" certificates - thereby implying to users that those certificates are not to be trusted?

Enter CAcert, a CA that issues digital certificates for free!

CAcert is a community effort without any commercial interests. Anybody can get any number of digital certificates to sign or encrypt email messages, or to provide protected services such as https, essentially for free! The only requirement is to create an account on http://cacert.org/. Demonstrating that security is not just a byword for the CAcert people, the registration process requires you to provide a strong password and 5 (!) lost-password questions of your own devising.

After creating your account you can immediately start issuing certificates. You will soon notice that these certificates are rather short-lived and that (in the case of client certificates) they do not include your name. The reason for this is that, being a new CAcert user, your trust level with CAcert is very low - essentially the only thing CAcert knows about you is that you are the person that has access to the email address that you specified on registration.

To increase your trust level you must gain trust, or assurance, points. Your newly created account has 0 trust/assurance points. To increase this number, you have to take part in the CAcert Assurance Program (CAP). You will meet physically with so-called "assurers"; you have to show them 2 (!) pieces of governmental-issued identification (e.g. passport, driver's license), at least one of them needs to be a photo ID. After assurers have successfully verified your identity, they will award you a number of trust/assurance points. This process is called "getting assured".

As you gain trust/assurance points, your trust level with CAcert goes up and you will be able to do more things on cacert.org. For instance, having at least 100 points you become an assurer yourself and can start assuring other people. An assurer can award only a limited number of points, according to his or her own trust level. This means that you will have to meet more than one assurer in order to get your 100 points.

The above is a basic overview of how CAcert's web of trust is working. For details you should have a closer look at the CAcert website (esp. the wiki). For instance, details about trust point levels can be found at http://wiki.cacert.org/wiki/FAQ/AssuranceDetails.

My personal goal is to first get 50 trust points so that I can issue server certificates that are valid 24 months. The next step will be to become an assurer myself. I will post updates on my CAcert status so that you can track the process of the assurance program over time.

Topics

Add new comment

The content of this field is kept private and will not be shown publicly.

Filtered HTML

  • Allowed HTML tags: <h1> <pre> <br> <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.