[lug] OT: Free S/MIME email certificates

Andrew Diederich andrewdied at gmail.com
Thu Feb 16 09:30:30 MST 2006 

Both CAcert (http://www.cacert.org) and Thawte (http://www.thawte.com)
offer free x509 S/MIME email certificates.  With CAcert you can also
issue server SSL certificates, and TLS certificates for XMPP/jabber
servers.  The catch is for the system to trust you are who you say you
are, you need known people to vouch for you in the web of trust (WoT),
similar to the PGP/GPG key signing.

I've used CAcert certificates for email and servers for two employers.
 They can come in quite handy.  The kicker is most programs and
distributions don't include the root certificates for it, so you need
to import those by hand.  Debian and wildfire (an xmpp/jabber server)
include the CAcert root certs.  Firefox probably will later, Windows
does not include them.

Besides registering in the system, to get points awarded you need to
bring ID so the assurer/notary knows what your legal name is.  For
CAcert the requirement is two government issued IDs, one with a
picture.  So, a driver's license, state ID, military ID or passport
cover that, and SSN card or birth certificate cover the second. 
Student IDs don't count.  For Thawte you only need one picture ID, but
you also need to have a national government number registered in their
system, so most people use a driver's license, which covers both. 
Using an SSN is allowed, but highly discouraged.

For both systems you need 50 points to get your name in a certificate,
and 100 points to be able to award points to others.  I can issue 35
points for CAcert and 10 points for Thawte.  There is another fellow I
work with who can also issue points for both.

Commonly I've seen the email certs used for email signing (identity,
really) more than encryption.  They can also be used for client auth,
and I'm setting up postfix to use CAcert client certificates for TLS
client auth using startTLS so I can have road warriors auth against a
mailserver securely without VPN access.  I've used CAcert server certs
for websites and https applications.  The nice thing about the Thawte
email certificates is the root cert is included in all browsers and (I
suppose) mail programs, so it is trusted more readily.

I am happy to assure (CAcert) or Notarize (Thawte) BLUG folks.  I work
in east Boulder.   If you're interested in getting assured/notarized
feel free to email me off list and we'll setup a time.

--
Andrew Diederich
andrewdied at gmail.com

More information about the LUG mailing list