What's the difference between class 1 and class 3 roots, and the certificates signed by them?

Question

Pretty much what the question says. What's the difference between the two classes of roots? The differences between the certificates signed by such roots? What uses would a class 1 signed certificate have that a class 3 doesn't, and vice versa?

Answer 1

Wikipedia has a meager but clear answer, as concerns VeriSign, and references a Symantec (who bought Verisign's certificate business) page as its source.

Class 1 for individuals, intended for email.

Class 2 for organizations, for which proof of identity is required.

Class 3 for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authority.

Class 4 for online business transactions between companies.

Class 5 for private organizations or governmental security.

Adding that,

Other vendors may choose to use different classes or no classes at all as this is not specified in the PKI standards.

So the best, the most reliable, the only authoritative resource is the certificate vendor's site definition. For CACert, Andrew Rollings answer is complete, and a second source can be found at CACert's Technical FAQ

Answer 2

The class 3 root certificate is the high-security subset of the CAcert class 1 root certificate.

Class 1 is the 'normal' and older root certificate of CAcert. It includes both, low security and high security certificates. As it might not be possible to get the class 1 certificate included into some browsers or distributions, the Class 3 certificate was introduced. The Class 3 root certificate includes only high security certificates and is a subset of the Class 1 certificate.

In general: The class 3 will probably be integrated into more browsers and distributions in the future, whereas the class 1 certificate probably works with more and especially older browsers.

(See http://www.luga.at/mailing-lists/luga/2006/02/msg00109.html)