Please note that this document is DEPRECATED. |
Please go to the AssuranceHandbook2 for the real stuff. |
CAcert assurer handbook
2005-06-30
There document has been extensively rewritten on AssuranceHandbook2. All are referred to there. This document below is deprecated by the Policy status of Assurance Policy which refers the handbook to AssuranceHandbook2
Table of Contents
Contents
-
CAcert assurer handbook
- Requirements
- The assurance procedure
- Issue certificates
- Mailclient setup
-
FAQ - frequently asked questions
- Who is CAcert?
- What is a CA?
- What is the goal of CAcert?
- What is CAcert doing?
- What is the difference to other CAs?
- May children be assured?
- How is privacy protected?
- Is CAcert included in browsers by default?
- Does CAcert have qualified certificates?
- What can i do with my certificates?
- What is the fingerprint from CAcert?
- What is an assurance?
- Which technologies are supported?
- Are there special requirements for certificates?
- Is the sourcecode available?
- Why are always 2 assures needed?
- Does CAcert use OCSP?
- How many people use CAcert?
- What does web of trust (wot) mean?
- Support
Requirements
- In every CAcert office there should be at least two assurers available during the specified opening times.
- The assurer should be well practiced at assuring and checking of official documents (IDs, driver's license, ...). Maybe he should assure friends and family first.
Be prepared for the case that foreign or unusual documents are presented to you. Have a look at AcceptableDocuments to find out more about which official documents are considered as acceptable in different countries.
The office address needs to be published on http://cacert.org/. Changes must be made known there.
Information needed for an CAcert office entry
- opening times
- exact address (Physical Business Address)
- telephone and perhaps mobile numbers
- email address
- detailed directions so people can easily find their way
Question: I have not seen anything like a 'CAcert office' till now, and I doubt if it is a sensible concept for the average assurer. I'd just distinguish between 'individual assurances', where a meeting is agreed directly between assurer and assuree(s) and 'events' or 'signing parties', which are published using CAcert's infrastructure. For the first kind of meeting the assurer should know in advance whom s/he is going to assure on the basis of which documents. During an event s/he may meet some surprises considering the presented documents
The assurance procedure
Preparation
Individual assurance
- If preparing for an individual assurance ask the assuree which documents s/he wants to present, so you can do some research in advance if they are uncommon to you.
- Maybe print out the assuree's CAP form yourself, so there is a bigger chance that at least one is present.
- Do you have a ballpoint pen with you?
Events
Have a look at EventOrganisation. Topic's the same, another author, maybe there are some useful hints not covered here.
There should be enough assurers on the event for assurees to reach 50 points at any time, if possible even 100 points. Try a post at cacert@lists.cacert.org or cacert-de@lists.cacert.org to find more assurers.
- On the Systems 2006, a medium sized trade fair, I made 32 assurances during one day, with 2-4 other assurers present who made probably about the same amount. I guess about 50 assurances per day would be the maximum possible per assurer on a small booth.
Place a notification of the event on CACert's homepage by creating an entry for your event in the CACert blog http://blog.cacert.org/
Maybe send a mailing at potential assurees who want to receive notifications. Post a message on cacert@lists.cacert.org that you want to do this. Can support@cacert.org also be contacted for this?
If possible get some "Marketing Material" and some CAcert logos, as big as possible, preferably coloured. But an A4 monochrome laser printout is better than nothing, it's a community project after all, isn't it? Have a look at http://ivamp.de/cert/ for some material in German.
Forms and ballpoint pens must be available. You can get the forms from http://www.cacert.org/cap.php (Hint: maybe use it as test printing page for printer companies...
). If possible (most time it isn't, since boothes typically are small) try to have a printer at the booth and a possibility to print out pre-filled CAP-forms. Printed forms are considerably easier to read than hand-written ones. Have a look at cap.html Copy it to your computer, replace my name, my location and the other specifics with your data and open it with any browser to get a form for simple generation of pre-filled PDF-files. Let the user enter his name, birthdate and email and print the form, so you can be quite sure that you will be able to read the information once you're back home.
- A laptop or other computer with internet access is a great thing to have present, even if there's no printer. You can show interested people the CAcert homepage and how to use it. But avoid to log on to your CAcert account, or let other people create accounts on the fly. Usually it is too simple to watch someone entering passwords or otherwise abuse a logged on account during a typical event!
- Be prepared that probably most people won't have a CAcert account before meeting you. You can still fill out the CAP form, do the document checking and issue the points once the account is created, but there are some things to remember:
- Many handwritings are hard to read. If you have any doubts copy the data yourself to the free area at the bottom of the CAP form.
Have some "business cards" ready containing (at least) your email and CAcerts Home-URL (http://www.cacert.org). They do not have to be professionally designed cards, a small piece of paper is good enough. Hand them to assured persons so they can notify you once they have created their new account. Or just for the case you forgot them.
The new account must be created with the same data (Name, Date of birth, email) as noted on the CAP form. Otherwise the new account could be forged by someone else watching the Assurance!
- If you are notified that the new account has been created it's important to compare the data of the account with the data printed or written on the CAP form. Do not issue your points if you don't have the CAP form present to compare the data. There may have been a simple typo during the registration process, and once such an account is given points things get more complicated!
- If someone complains that s/he cannot create a CAcert account do not simply assume that the one made a mistake (though that's the most probable case). Try to help the person or find someone on IRC or the mailing lists to help her/him. There is the (quite remote) possibility that someone watching the Assurance has created an account for the applicant's email...
Assurance
- First the customer needs a completed form for every assurer
- If possible the customer should print his/her own form using the CACert website. Printed forms are considerably easier to read that hand written ones. Go to FAQ/AssurancePrefilledForms to find out how to print out pre-filled CAP forms.
- If using "empty" forms the customer fills in the above part of the form.
- Don't forget date and signature. Of course they must be hand written, preferably while the assurer is watching.
Every assurers need to verify the customer's identification documents:
at least one official (government issued) photo identity card is needed, if possible more than one (passport, ID-card, driver's license).
the second identity document must be government issued but does not require a photo.
- student IDs, personal tickets or similar are NOT official and not usually government issued.
- bankcards, creditcards or other identification documents usually used can be taken as indication of identity but cannot be used as one of the official identity documents (These are useful to ensure the identity of the person so you can award them full points)
Verification
See also AcceptableDocuments.
- Picture
- In some countries driver's licenses never expire so you have to be aware of very old pictures and signatures.
- Signature
- it is preferable that the customer makes her/his signature on the form while the assurer is watching
- if the customer's signature is not recognizable ask him to sign comparable to the signature on the document (sometimes newer bankcards are good indication if the signature changed dramatically).
- if any document is not signed please ask the customer to sign it now.
- Security Features
- stamp must be seamless on picture and document
- holograms
- special printing techniques like fineprint and colors
- special paper
human readable data should match the machine readable zone on the document.
- watermarks
- Expiration date
- driver's licenses often have none (depends on the country).
- passport has one (typically 10 years)
- bank- and creditcards sometimes only have an number like 05. Otherwise usually valid for 2 to 5 years.
- expired documents are acceptable as indication, you may reduce the points you give.
- you should inform the customer if documents will expire soon.
- Do date of issue and expiring date make sense and result in a sensible validity duration (i.e. 10 years).
- Date of birth
- don't get confused by the different formats all over the world. Check your input twice if the formats are the same on the form, the documents and the webinterface. If the date in the webinterface is wrong, it must be changed BEFORE you can give the points.
- does the DoB make sense?
children also can be assured, there is no minimum age (in fact there is, since the CAP form must be signed by the child and not its parent... And acceptable photo IDs are seldomly issued to infants under 10). Question: Is this official policy? Does it make sense to assure children at infant age? The reason I'd not assure infants (let's say till age of 14) is that they can protect their credentials against theft even worse than most grown ups.
- Test Questions:
- One or more names
- place of birth
- artist name (officially recognised alternate names a person uses)
- place of issue
IMPORTANT : IT SHOULD TAKE YOU AT LEAST A MINUTE TO CHECK THE IDs! SOMEONE TRYING TO HURRY YOU IS A SIGN THAT THERE IS SOMETHING FISHY ABOUT THE DOCUMENTS
- To be checked on the form:
- is everything filled in (date and signature are easily forgotten).
- compare all data on the form with all given IDs.
- If there are more first names than the person filled in please add them by yourself. Otherwise you are not allowed to assure him/her if one of the names you don't have is used since you can't assure this other names. (note: it is not obligatory to give all names when creating the account! You can assure him/her with just one of his names)
Question: How to handle birthnames/married names?
- IMPORTANT: is the email address readable? Otherwise you can't give points later. If in doubt write it again near the original on the form so you can read it.
- Assurer part of the form:
- Your name, signature and the date of the day.
- Kind of verified documents (ID, passport, driver's license).
- On the customer's request you should also record the serial number of the IDs you have verified. Some other CAs require it. For CAcert assurance it is not needed. Identify theft is widespread in America and so no improvement of security would be reached.
- Points
- You may only give full points if there absolutely is no doubt in the identity! In all other cases you have to give less. If unsure about identity you must not give any.
Question: How to handle the situation if the customer only presents documents which are unfamiliar to the assurer, let's say some central African national ID and driver's licence? No Points or, if they have an official look, reduced (how much?) points?
Points scheme
- 0-49 points: This person is not assured and his/her name won't be included in certificates. Also this certificates will expire after maximum 6 month. With more than 0 points, the personal details can't be changed anymore by oneself.
- 50 points: "assured" the name can be added to the certificate. The server certificates are valid for 2 years. You can get a signed PGP/GPG key.
- 100 points: "assurer" the maximum number of points one can get from other assurers. The identity of others can be verified and you can (please do) be listed in the assurerlist on cacert.org. Code signing authorisation may be requested.
- 150 points: "fully assured" maximum points you can get. You get 2 points for each assurance you complete.
- 200 points: "superassurer" time limited status for very special events. One needs 150 points and the agreement of two boardmembers (no longer in germany)
Table of issueable points
Your Assurance Points |
Issuable Points |
100 |
10 |
110 |
15 |
120 |
20 |
130 |
25 |
140 |
30 |
150 |
35 |
For every assurance one gets 2 points up to the maximum of 150 points.
This guarantees a general 4 eye check. To have your own certificates you have to be verified by at least 2 assurer. To become an assurer you must at least checked by 3 assurers and have to exercise a bit until you are fully assured.
Fees
- Certificates are free! Customer do it there own over the webinterface.
Assurances may cost money but the price has to be set out before the meeting otherwise it must be done at no charge.
Assurance at one of our franchising partners in central Europe will cost 12.5 EUR per assurer. So normally it is 25 EUR for 2 assurers. Other countries may define there own prices to fit to local conditions. Please see http://www.cacert.org/franchising.html.
Assurance and consulting on-site at the customer will cost 50 euros in central Europe, when made by 2 Assurers. Other countries may define there own price to fit to local conditions. Please refer to http://www.cacert.org/consulting.html.
- You may give discount for students or premium customers.
- VIP assurances should be made for free. This is for people who are important for us to be assured. You will be notified by the cacert team about an assurance to be made. IMPORTANT: VIPs must be verified very carefully. A mistake here could have fatal consequences.
Possible problems
If someone has faked or contradictory IDs, get as many information as possible about this person.
do normal assurance but write down the numbers of the id, keep the form extra.
directly mail all information and a exact report about what happend (was wrong) to [abuse@cacert.org].
Give Points
- do not do it from a Computer which is not secure (possibly has any malware like viruses and trojans on it). If in doubt do it from a Live-CD like Knoppix - audited CDs will be given out to the franchising offices.
use a up-to-date browser and go to https://www.cacert.org/.
- go to "normal login" an fill in your email address and password.
- go to "web of trust" / "assure someone".
- fill in the customers email address and the rest of the form. The date is only necessary if the meeting was not today.
FOR SECURITY REASONS: LOGOFF AND CLOSE THE BROWSER WHEN WORK IS DONE.
Work after the meeting
- if the customer hasn't created an account before your assurance, you have to repeatedly check whether the account has been created for the next couple of days, and give points when account is created (Tell the customer that we has to use same email address for the account as was used in the form! Even better make sure the customer has registered before arriving).
- if work is done note that on your form.
- FORMS HAVE TO BE SECURELY KEPT FOR SEVEN YEARS. YOU ARE PERSONALLY RESPONSIBLE FOR THAT! Note: The forms must be retained as the original paper. Scanning and digital storage make the verification of the signature more difficult and may violate laws like the German Data Protection Act.
if any doubts come up, the people at CAcert headquarters may ask you send the assurance form to them. Question: Who is allowed to request an assurance form and how does s/he authenticate her/himself?
- if you are unable to keep assurance forms, they must be securely sent to CAcert headquarters.
Sending CAP forms to CAcert
You may be requested to send CAP forms to CAcert, maybe because there was a complaint about a certificate or just as part of a quality assurance process. CAP forms contain personal data, so the requester has to be authorized to see them and you have to make sure that noone else can read that data.
- You'll have to verify that the requestor's email is @cacert.org. No other TLD (like .com, .net etc) is allowed!
- The request will be sent to you either signed by a CAcert verified PGP key or using a CAcert-issued S/MIME certificate. Please ensure that the certificate is valid and issued/signed by CAcert.
If you don't know how to reliably verify a signature please ask someone for help on on IRC (irc://irc.cacert.org/cacert or irc://irc.cacert.org/cacert.ger) or one of the mailinglists (like mailto:cacert@lists.cacert.org or mailto:cacert-de@lists.cacert.org). This is not a trivial task, don't just trust your mailer's icon!
- Usually you are requested to send a scan of the CAP form. Please make sure that you send the image using an encrypted mail. If you cannot send it encrypted for any reason, send a copy of the form via paper mail.
- If you are requested to send in the original CAP form, keep a copy of it in your documents. N.B.: I have not heard of this being requested, but it may be necessary some time.
If you have any doubts about a request ask other assurers for help! If the request tries to discourage you from getting help (stating it a top secret business or something like that) there's something fishy about the request!
Issue certificates
To get a certificate for your email address please do:
- Login at CAcert.org
email addresses -> new
add it -> continue. Now you get an email to that address. Please open the link in it to verify that it is your email address.
email addresses -> show. check if it is verified now
go to client certificates -> new
- pick the email address you want a certificate for
- "crypto-service-provider" let you decide if you want to create the keys on a smartcard or on your computer.
decide if you want your name in the cert or an anonymous one -> continue
- import cert
- depending on the mail and browsing software you use, you can directly use it or you have to export it from the browser and import it to your mailsoftware.
- to export it in firefox (ADD more browsers!!!) go to preferences /advanced / manage certificates and export it to a PKCS#12 (.p12 .pkcs) file
- this PKCS#12 you can import in your mailclient
Mailclient setup
- which cert should be used for your email address?
- should emails be signed? You should affirm that.
- should emails be encrypted if possible? This is recommended.
FAQ - frequently asked questions
Who is CAcert?
- CAcert is a non profit association incorporated in Australia.
What is a CA?
- A CA verifies the identity of persons or organisations and issues digital certificates.
What is the goal of CAcert?
- make security affordable and available for everyone.
- secure the internet an increase trustworthiness.
- privacy through encryption.
- security through authentication.
What is CAcert doing?
- CAcert issues SSL certificates. It is a certification-service-provider.
What is the difference to other CAs?
- CAcert separates assurance (confirmation of identity) from the issuing of the certificates. Thereby the identity only has to be confirmed once to make as many certificates as needed and whenever wanted.
- CAcert is mainly community based.
May children be assured?
- Yes, people under the age of 18 may assure other but can't issue more than 10 points.
How is privacy protected?
- Forms stay with the assurer and are only forwarded to CAcert under special circumstances.
- From the outside it is not evident who assured whom.
- CAcert will not give any data to third persons or third parties.
For more details look at the official privacy policy at http://www.cacert.org/index.php?id=10
Is CAcert included in browsers by default?
Please see: http://wiki.cacert.org/wiki/InclusionStatus
Does CAcert have qualified certificates?
- Not at the moment. We are working on that.
What can i do with my certificates?
- HTTPS webserver (get rid of selfsigned certs)
- Sign and Encrypt mail (pgp/gpg and S/MIME)
- SSL/TLS authorization towards(??) the X509 standard for Websites, VPN and much more
What is the fingerprint from CAcert?
It depends on the certificate type. See list of fingerprints.
- you also find them on our forms.
What is an assurance?
- Assurance is a service, where the assurer verifies the identity of a person by official photo IDs on behalf of CAcert. Therefore the assurer give points to the lifetime account on CAcert.
Which technologies are supported?
- X509 Certificates
- Server Certificates
- Client Certificates
- Code signing Certificates
- OpenPGP signatures
Are there special requirements for certificates?
There are special requirements for certificates for:
- code signing (java,active-x,mobile,....)
- IDN - international domain names
For those certificates you need to be an Assurer according to CPS 1.4.5.
Note, in the older pre-CPS days, you needed at least 100 points and you have to send a copy of your Photo ID to CAcert. However Photo Id was dropped around 2008.
Is the sourcecode available?
the sourcecode is available for auditing but must not be used for any other purpose.
Why are always 2 assures needed?
- This 4 eye check increases the plausibility and reduces the possible mistakes, therefore it enhances the security.
Does CAcert use OCSP?
How many people use CAcert?
for actual data please see http://www.cacert.org/stats.php
What does web of trust (wot) mean?
- the mutual(??) assurances increase the fidelity. (more)
Support
CAcert Headquarter P.O. Box 4107 Denistone East NSW 2112 AU- Australia
CAcert support Austria: http://www.cacert.at/ office@cacert.at
On the Internet:
Wiki: http://wiki.cacert.org/
Chat: irc://irc.cacert.org
#cacert english channel
#cacert.ger german language channel
If you do not know how to use an IRC client you may also try the Webchaton