February brought the start of the exhibition season for CAcert with our presence at FOSDEM – one of the biggest Europe-wide developer conferences in Brussels, Belgium. Of course we performed our well-known assurances, which is very popular at such events, with which CAcert safeguards its certificates by checking users’ ID documents. This allows us to offer a safe and trustworthy certificate authority to our users. Of particular note was that interested people were seeking more detailed information about security – questions such as what it actually means, and why are we not yet in the trust stores of many of the web browsers. It’s true that Let’s encrypt is trusted by the popular browsers, but if you take a close look at the certificate of a site protected with a Let’s encrypt certificate, you will find out that it does not contain any information about the owner. This means it is impossible to verify the identity of the site and therefore it is basically uncertain to which site the browser is actually connected to. CAcert allows the site owner to publish identification information in the certificate after the assurance – for private users as well as for companies. This way, CAcert offers a clear mutual trust, which makes it worth importing the CAcert-Root-certificate from www.cacert.org.
But there’s more: CAcert offers client certificates as well and signs GPG/PGP keys. Anyone who always wanted to sign his emails and encrypt them if needed, can do this easily with CAcert. Most email clients supports S/MIME certificates or PGP. By this means the authenticity of the sender is verified, and the receipient can verify the name of the certificate owner. Also attachments like PDF can be signed this way and protect the document against later changes.
CAcert is supported by an Australian non-profit association, the operation of the server is safeguarded by the German incorporated society secure-u. This structure has advantages, but the Australian society is possible only as long as CAcert has at least three Australian residents as members of the board. In 2017 we want to bring the association behind the web of trust to Europe. This limits the resources of many of the active members, because the handover must be done under appropriate rules. Anyone who wants to support CAcert can find more details at recent blog post “Prosit 2017” or can send an e-mail to email@example.com
For a secure 2017!
While it might be interesting to some people that their name is in their SSL certificate, most people are simply happy that they get a SSL certificate for free now, without any strings attached.
I personally was a CAcert supporter until last year when I switched to let’s encrypt certificates. My reasoning is at http://cweiske.de/tagebuch/cacert-bye.htm
I think that CAcert fades into irrelevancy when the browser trust issue is not solved. The AuditToDo page in the wiki https://wiki.cacert.org/Audit/ToDo states “THIS PAGE IS MOST LIKELY OUTDATED”, and there is no newer information to find.
Please publish a blog post about the browser inclusion/audit status, and please tell people if anyone is actually working on solving this problem.
One quick comment on Debian’s support for CAcert, mentioned in the article: We are included in the ca-cacert package which upgrades ca-certificates package.
Is anyone at CAcert.org working on ACME protocol support?
If you have programming or testing skills I encourage you to support CAcert with new facilities we have not deployed yet.
In this article one of the major questions you were asked at FOSDEM is: “Why are we not yet in the trust stores of many of the web browsers?”. Although your thoughts, throughout the article, about identity in certificates, is interesting and true, I miss the answer to the above question.
Which advantage do I have in using a CA that is not included in any trust stores (Firefox, Thunderbird, …) when I want to use the certificate not only within my peer group, but also in the public – for example on a public webserver, mails signed with S/MIME, …?
I once was a great supporter for CAcert and did a lot of advertisement. I’m still looking at the activities done by CAcert. But as long as there is zero movement towards being included in the major internet software trust stores, I can’t advertise CAcert any more.