This policy is structured according to RFC 3647 chapter 4.
TBD: "To be discussed" or "to be done": Sections in green require some discussion or someone to fill the blanks.
This document based on the structure suggested by the RFC 3647.
Version 0.2 2004/11/15
This document describes the set of rules and procedures used by CAcert, the community Certificate Authority (CA).
CAcert issues certificate to unassured users, who fulfill the requirements for proper identification as defined in this document.
CAcert issues certificates for individuals, businesses, governments, charities, associations, churches, schools, non-governmental organizations or other legitimate groups.
CAcert doesn't plan to issue certificates to subordinate Certification Authorities at this time.
CAcert doesn't run RAs in a technical sense, but in a legal sense: Entitled "CAcert Assurer" or "Trusted third Parties" report the identification of users to CAcert. In addition, CAcert accepts foreign CAs as RAs, by acknowledging a foreign certificate with a certain amount of trust depending on the CAs policy. CAcert witholds the right to introduce further methods of identification, but ensures, that either a single identification is made reliable enough or multiple less reliable identifications have to be combined in a way defined by CAcert.
CAcert issues:
Everyone who uses CAcert products either directly or indirectly can be a relying party.
N/A
The CPS applies to all CAcert PKI Participants, including CAcert, Assureres, Customers, Resellers, Subscribres and Relying Parties.
Each type of Certificate is generally appropirate for use with the corresponding applications defined in 1.4.1, unless prohibited in 1.4.2. Additionally, by contract or within a specific environment (e.g. company-internally), CAcert users are permitted to use Certificates for higher security applications. Any such usage, however, is limited to such entities and these entitites shall be responsible for any harm or liability caused by such usage.
CAcert certificates are not designed, intended, or authorized for use or resale as control equipment in hazardous circumstances or for uses requiring fail-safe performance such as the operation of nuclear facilities, aircraft navigation or communication systems, air traffic control systems, or weapons control systems, where failure could lead directly to death, personal injury, or severe environmental damage.
Also, anonymous client certificates from CAcert unassured users shall not be used as proof of identity or as support of nonrepudiation of identity or authority.
CAcert certificates should not be used directly for digital signature applications. CAcert is working on the issue, to support the digital signature application in the future. Alternativley, CAcert users can use external digital signature services, which use the CAcert certificate only for realtime-authentication.
Changes are approved by a majority consensus of the board members.
If a rule has been made stricter than before, the status of affected people is not automatically degraded and their certificates are not invalidated, unless there is evidence to to so.
If a rule has been relaxed, the status of affected people is not automatically upgraded unless they apply for this change.
Paragraphs marked "(* imp)" are implementation details as of the time when this policy was written or updated. They are provided just for information and shall not be legally binding.
Change of such an implementation section or correction of spelling, grammer or html errors are not considered policy changes, but rather policy updates. CAcert withholds the right to do them beyond the procedures defined in chapter 2.7.
A certificate is a piece of data used for cryptographic purposes, especially digital signature and encryption in association with appropriate software, which has to be provided by the user.
CAcert is a community project as defined under section 1.2 Identification
Everyone who visits CAcert or makes use of CAcert's data, programs or services.
A CAcert user, who registers at CAcert, but is not assured yet. The email address of theses users is checked by simple technical means. Currently only individuals, not legal entities can register.
A registered user who requests and receives a certificate
A CAcert user, who has some level of control over the Internet domain name he requests certificates for at CAcert.
A CAcert assurer, who is entitled by an organisation to vouch for the identity of others users of the organisation.
A CAcert registered user, who's identity is assured by an assurer or other means as defined by CAcert.
A CAcert assured user, who is entitled by CAcert to vouch for the identity of other users.
CAcert users, who base their decisions on the fact, that they have been shown a certificate issued by CAcert.
CAcert users, who distribute CAcerts' root or intermediate certificates in any way, including but not limited to delivering these certificates with their products, e.g. browsers, mailers or servers.
Contributions are any kind of intellectual property which find their way into the CAcert project with the consent of the copyright holder. Contributions can be code or content, whole modules, files or just a few lines in a larger file.
Contributions can be submitted via any electronic or material path. Entries in CAcerts' systems, including, but not limited to the Content Management System or the Bug Tracking System are considered Contributions.
Contributors are people or entities that make contributions to CAcert, either because they have been paid for this services, or donated them. Services include, but are not limited to any of their own graphical design work, any sections of their code, software, articles, files, or any other material given to CAcert, is considered a "contribution".
An authorized Contributor is a CAcert Contributor, who is authorized by CAcert to access one, several or all internal, non-public and potentially confidential parts of the CAcert web site, CAcert mailing lists or any non-public documents about CAcert.
CAcert operates its own repositories for the root certificates, issued certificates and CRLs.
CAcert publishes it's root certificate and intermediate certificates if applicable, the latest CRL, a copy of this document, other relevant information.
Certificates and new information will be published as soon as available. CRLs will be published as soon as issued.
There is read only web-access for everyone for the information mentioned under 2.1. Other information like registration information requires authentication.
CAcert has implemented logical and physical security measures to prevent unauthorized persons from adding, deleting, or modifying repository entries.
CAcert assigns a Distinguished Name (DN, X.501) to each entity of a registered user.
In case of Client certificates the DN contains:
Other information about the user is collected, but does not go into the certificate.
In case of server certificates the DN contains:
For certificates of organisations, the following fields are used:
no stipulation
no stipulation
Some check for the uniqueness of users is done during registration (More precisely)
We never issue the same DN twice, unless a certificate with a DN is expired or revoked.
The organisation has to present their "Certificate of Incorporation" (or similar document proving the existance of the organisation) to authenticate itself.
CAcert does not automatically verify the name appearing in the certificate, the domain name or any other fields against trademarks or intellectual property rights. CAcert can reject or suspend any certificate without liability in case of a dispute.
no stipulation
c.f. 1.3: There are three steps involved in assuring the identity of an organization:1) The organization must authorize in writing a named real person to obtain a certificate in the common name (CN) of an organization.2) The authorized, named real person must become verified.3) The authorized, named real person must present the following: a) The written authorization to obtain the certificate (item 1 above). b) Proof of legal existence of the organization, in most cases.Items 2 and 3 may be completed simultaneously.
Individuals are assigned a level of trust on a scale from 0 to 200 points. The actual level of trust is not published, only if specified levels are passed.
When passing 50 points, a registered user becomes an assured user. When passing 100 points an assured user becomes an Assurer.
The points assigned depend on the trust reported by the RAs. The details how to gain trust points are subjected to change. C.f. 5.2.
N/A
Domain-owners have to proof the authority over the domain with an Email-ping to one of several standard email addresses of the domain, or one of the email addresses found in the the whois record of the domain.
CAcert doesn't plan to issue certificates to subordinate Certification Authorities or other PKIs at this time.
Authentication is done only once and does not expire normally. CAcert registered users will be issued certificates based on their current authentication status.
(* imp) Server Certificates of assured people expire after 2 Years
(* imp) Client Certificates of assured people expire after 1 Year
(* imp) Client Certificates of non-assured people exire after 6 Month
(* imp) Client Certificates of non-assured people exire after 6 Month
(* imp) OpenPGP Signatures expire after 1 Year
New request
Done by the user via web interface.
Anyone who has webbrowser capabilities and internet-access is eligible to request CAcert's services.
The user has to generate a key-pair, either with his browser (for client certificates), or manually (for server certificates). Then the certificate request is submitted on the CAcert.org website. The resulting certificate can be downloaded on the website, and is additionally sent by email.
Client certificates are issued to registered users (Persona CA) or to authenticated users.
Server certificates are issued to domain masters.
no stipulation
Private key compromised or certificate owner identified as fraudulent.
The user for his own certificates. CAcert for fraudulent users.
Web Interface for users, notification of CAcert for fraud.
not defined
A relying party must verify a certificate against the most recent CRL issued, in order to validate the use of the certificate.
not defined
Alternative: CRLs are issued after every certificate revocation
(* imp) OCSP under construction
no stipulation
None
no stipulation
Suspension of certificates is not available, only revocation.
N/A
N/A
N/A
The servers are located in a dedicated server housing center.
Physical access is restricted by door-locks and security-personnel
P
P
P
P
P
P
Is this stated correctly? Aren't there any exceptions (remind the various methods for gaining points) Shouldn't some items be marked "imp"? Should we add "Exceptions from these procedures. can be done on a case by case base by a majority consensus of the board"?
PKI doesn't have any inbuilt methods similar to PGP's Web of Trust to provide peer to peer assurances, so to get round this CAcert Inc. was created to over come this short fall and be able to provide a trust model for peer to peer trust.
This is accomplished by several means.
Email addresses are verified and certificates issued in the following manner:
Before the system will issue server certificates to users, the user must prove similar to the email verification system that they have right to control that domain, and any host or subdomains of the domain.
This is achieved by the following:
For Trusted-Third-Party Assurance, Bank managers and Notaries are trusted to proove the identity of the subjects.
For assurance, a mininum number of 2 Assurers are needed.
P
CAcert is supplying documentation about general security and social engineering to its personnel
Duane: Can you write chapter 4.5 and 4.6?
All discuss: We may be required to keep these records for a long time for security and bookkeeping reasons. We may however be required do delete these records asap for privacy reasons.
The system is using the common Linux syslog facilities:
The events are stored, and only processed on manual demand
The logfiles are being archived for at least 6 month.
The access to the audit logs is secured with file permissions, so that only the system administrators have access to the logs.
The logfiles are automatically backupd daily to a backup-server.
N/A
The administrator decides on a case-by-case basis, whether it makes sense to notify the event-causing subject.
c.f. 9.10
The Key Pair is always generated by the user, either offline for server certificates, or online with the Browser.
CAcert never generates Private Keys for users, or delivers them to users.
For OpenPGP certificates, the public key together with the certificates is available in th
The CA public key is always published on the website of CAcert.
Additionally the CA public key can be included in Third-Party Software like Browsers, Email-Clients, ...
The minimum keysize for OpenPGP keys is 1024 Bit.
The minimum keysize for X.509 keys is 1024 Bit.
P
P
(imp): X.509 v3
no stipulation
no stipulation
Is this the same as 3.1.1
Is this the same as 3.1.1
The Policy OID will be a subkey of the key specified under 1.2
no stipulation
no stipulation
no stipulation
(imp): X.509 v2
CAcert declares to operate in compliance with this CPS.
If you want to contribute an audit for free or at a nominal charge, contact CAcert.
P
P
P
P
P
CAcert will publish the results of an audit on the CAcert.org website when it is available.
Registration and certificate lifetime services (issue, revoke, check) are free, but CAcert witholds the right to charge nominal fees for additional services, e.g. the TTP programme. Due to the nominal nature of these fees, refund is usually not provided.
Membership is appreaciated but not required to use CAcert services. Membership fees apply.
P
P
P
P
P
No financial responsibility is accepted.
We are committed to the philosophy of free software, but non of the Open Source Initiative OSI - Licensing perfectly matches the mix of various forms of intellectual property this site consists of, including but not limited to code, content, data, images, design elements. Therefore the terms of GPL will apply to all code which contains such a comment and FDL will apply to all content, which contains such a comment. Elements without such a comment are CAcert proprietary and are not free for distribution. This affects especially the CAcert logo and other elements, which give CAcert its identity. In addition to the GPL/FDL rules, you have to ensure your set up is clearly distinguishable from the original CAcert site and cannot be mistaken for the original.
CAcert is freed from any liabilities to the greatest extend permitted by applicable laws. This includes, but is not limited to restricting the liability to gross negligence and intent.
RAs are freed from any liabilities to the greatest extend permitted by applicable laws. This includes, but is not limited to restricting the liability to gross negligence and intent.
The contributor is at least liable for gross negligence ane intent. Additional liabilities may be set out in an individual contracts.
The contributor will only be liable for gross negligence and intent.
If CAcert should terminate its operation, the root cert and all user information will be deleted.
If CAcert should be taken over by another organization, the board will decide if it's in the interest of the registered users to be converted to the new organization. Registered users will be notified about this change. A new root certificate will be issued.
If CAcert should terminate its operation, the root cert and all user information will be deleted.
If CAcert should be taken over by another organization, the board will decide if it's in the interest of the registered users to be converted to the new organization. Registered users will be notified about this change. A new root certificate will be issued.
A change of this document requires:
Users will not be warned in advance of changes to this document. Relevant changes will be published in the community as possible.
Alternatively: All CAcert registered users will be notified 1 month before the change becomes effective.
Notification of CAcert cert redistributors depends on the contract we may have with them.
This document might be mirrored to other sites or translated into different languages. In case of differences the version on our main site CAcert Inc. is valid.
This policy is applicable under the law of New South Wales, Australia.
If any term of this policy should be invalid under applicable laws, this term should be replaced by the closest match according to applicable laws and the validity of the other terms should not be affected.
Legal disputes arising from the operation of the CAcert will be treated according to the laws of NSW Australia.
Legal disputes arising from the operation of a CAcert Assurer will be treated according to the laws of the Assurers country.
CAcert will provide information about its users if legally forced to do so.
Users have to agree to the applicable terms specified in the appropriate section of this web site. Users who use material from CAcert for cryptographic purposes assure that cryptography is not illegal according to laws applicable to these users.
You warrant that the Service shall not be used: (a) fraudulently or in connection with any criminal offence; or (b) to send, receive, upload, download, use or re-use any material which is offensive, abusive, indecent, defamatory, obscene, menacing, or in breach of copyright, confidence, privacy or any other rights; or (c) to cause annoyance, inconvenience or needless anxiety; or (d) to send unsolicited advertising or promotional material or any other unsolicited Information; or (e) other than in accordance with the use policies and rules of your ISP and any local, state, province, territory or federal laws that may be applicable to you. You agree to be liable for all unauthorised use of the Service. In the event of such unauthorised use, CAcert Inc. can suspend or terminate partially or totally this Agreement, at its sole option. You agree to inform CAcert Inc. immediately if you have any reason to believe that there is likely to be a use of the service in any unauthorised way.
Users will not seek unauthorised access to elements of CAcert's data, site, database and/or information stored by it, beyond the access they have been granted by the CAcert regulations. Information must not be willfully manipulated in any way without the express consent of CAcert or unlawfully altered.
CAcert registered users that the data they register with CAcert are true and complete.
CAcert redistributors deliver CAcerts' certificates unmodified. They don't acquire any rights on the certificates.
The contributor assures that the material he contributes is his intellectual property or he has the right to use it for his contribution.
All rights are granted to CAcert, which is covered by payment for services rendered
The contributor grants CAcert Inc. the non-exclusive right to use any contribution, without any obligations of any licenses, such as the GPL's clause about full disclosure. The contributor has the right to reuse any work for other projects and under other licenses, but this right is limited to any actual contribution. Simply making modifications does not give rights over any greater entity or the site in general. (c.f. Contributions
An authorized contributor may not disclose non public information to any 3rd party without CAcert's express written consent. He is entitled to communicate user related information to the affected user if he took reasonable steps to verify his communication partner is actually the legal owner of this information.
If someone should fall under multiple categories of chapter 2.1 and its subchapters, the sum of responsibilities or the strictest responsibility applies
CAcert operates their service and distributes material in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.
Particularly CAcert issues certificates for CAcert registered users based on the information provided by the RA, revokes certificates based on the certificate owners requests and publishes the Certificate Revocation Lists (CRLs)
CAcert assurers stipulate that they assure CAcert users according to the current assurance rules set up by CAcert.
CAcert subscribers will provide accurate Data to CAcert and they issue a revocation request if their private key gets lost or becomes compromised.
CAcert domain masters assure that they are legal owners of the domains they request certificates for or are given the authority to do so by the domain owner.
CAcert users assure that the statements they made towards CAcert or the CAcert assurer are true and complete.
Subscribers are notified hereby that electronic signatures can be legally binding. The extent to which they are trusted depends on local legislation. Specifically CAcert certificates do not enable you to do "qualified signatures". That means that jurisdiction will decide on a case by case base whether or not they are legally binding. Because of these legal implications, Subscribers must protect their private keys. This included, that they are not supposed to provide this key to CAcert.
Digital encryption is not meant to be recovered without the private key. If the private key is lost, all encrypted documents are lost and cannot be recovered. If the certificate expires or is revoked, some software will also refuse to decrypt documents. CAcert does not own this private key (c.f. previous paragraph) and thus cannot recover it. Therefore users are supposed to backup their key or prepare for the loss of encrypted documents.
CAcert relying party assure that they inquired all details necessary to validate their decision. This includes, but is not limited to the check of the presented certificate against expiry time, current certificate revocation list (CRL), certificate chain and the validity check of the certificates in the chain.
The relying party is not freed from these responsibilities by the fact that a redistributor included CAcerts' root or intermediate certificate in a product that the relying party uses.
CAcert does not recommend to use its certificates to secure transactions above $1.000. If subscribers do so anyway, this may further restrict CAcerts' liability.
CAcert will provide technical means to check for revoked certificates.
