Presentation done at TLUG 2011/2/19 tech meeting.
Includes introductory information on CAcert, and also an invitation to the first official CAcert. ATE (Assurer Training Event) Tokyo in Japan.
ATE Tokyo will be on Mar 5 (Sun), during OSC (OpenSource Conference) 2011 Tokyo/Spring at Waseda University (near Shinjuku).
6. Solution: “Chain of trust”
For you, everything is built on
These 2 links you trust!
Root CA
User
Web Intermediate CA
Email User
App
User Distribution
7. So, what about CAcert?
Usual CA CAcert
The G-O-D(tm) Automated
Root CA Issuer
Web-of-Trust
“All you need is “Trust each other,
to BELIEVE (me)” and I'll bless you”
8. In another word,
Now, the G-O-D is gone,
replaced by the Web-of-
Trust.
9. What can CAcert do for me?
0pt Issues minimal server / client /
S/MIME cert. Valid for 6 months.
50pt Issues fully descriptive cert, backed
by higher class cert. Valid for 2 years.
100pt All of the above + code-signing cert.
You can also give out points if you
pass the Assurer Challenge test.
By being “assured”, you'll obtain points for
creating higher-level certificate.
11. But WAIT!
Isn't that a “Ore-Ore”?
Named after “Ore-Ore“ fraud scheme, which calls up
elderly (like 80+ old) and tells “Granma, it's me! (Ore!)
I had a accident with Yakuza, and need to pay them!
Please! Let me borrow $5000! My bank account is...”.
Who got a call will panic, and sends without thinking.
So “Ore-Ore” cert is a cert that claims its public
authority without backing of any other public CA.
12. Going for a “True” Root CA
● Already in many Linux/*BSD distros
● Current target: Mozilla
● Windows and OSX: TBD
There're “cheap” commercial CAs.
But, CAcert's goals are:
・ To build world-acknowledged CA
based on community effort
・ Provide *everyone* a secure env.
It's also useful to make cert managemnet easier!
13. Going for a “True” Root CA
● Already in many Linux/*BSD distros
● Current target: Mozilla
● Windows and OSX: TBD
In short, audit by independent third party is required.
And in 2010, CAcert has prepared all the legal docs
and (strict) policy for an audit! (some still under draft).
14. How does it work, and what do I do?
For Users
1. Register at CAcert.org
2. Print CAP form, and bring it with you,
along with government-issued ID.
3. Fill out, sign, and give the CAP form
in front of an assurer, face-to-face
You can start issuing certs right after registration.
It's just more points are needed to create higher-level
ones.
15. How does it work, and what do I do?
For Assurer
1. Try best to check validity of user-
provided ID (ex. UV-light checks)
2. Understand, and explain member's
obligation (ref: Community Agreement)
3. Don't just give out full points. Give
points based on your “confidence”.
Think: What if some Martian comes up and
provides you an ID of “Galactic Empire”?
16. Topics in Japan
We are having the first
official CAcert event in Japan!
17. ATE Tokyo (Assurer Training Event)
1. One of the requirements to become a
“Senior Assurer”.
2. A chance to assurer people to become a
“Experienced Assurer”
3. A chance to obtain 100+pt.
Peter Yuill of CAcert.org, who is happening
to be in Japan during OSC2011 period, has
offered to be a “trainer” of the event!
If you miss this, “next time” might not come in few years!
18. NOTE: Assurer “Experience Point”
0EP Can give up to 10pt/assurance.
Each assurance provides 2EP back
to an assurer.
...
50EP Can give up to 35pt. Who reaches
this level is called “Exp. Assurer”
Senior Assurer is a “Exp. Assurer”++,
who is regarded to be capable of handling
deeper CAcert activities.
19. Announcement
Date :2011/3/5
Place: Waseda Univ. Shinjuku
Sports Center
West Campus(63&61)
+ city's meetup space
Sessions:
- Training (ATE) in OSC
- Assurance (signing) in OSC Dept of
Sci. And Eng.
and right after OSC closing
Please go and register to
http://www.ospn.jp/osc2011-spring/ !