Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Protects The World From Crypto

Posted by timothy on from the strange-goings-on dept.

nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."

10 of 179 comments (clear)

  1. corporations by polar+red · · Score: 1, Insightful

    Are they only giving out certificates to corps then ? What an improvement ! This means that corporations again gain power over individuals.

    --
    Yes, I'm left. You have a problem with that?
  2. Wait a second... by weez75 · · Score: 5, Insightful

    Before we claim another atrocity forced upon the "little guy" let's take a look at the situation. Thawte is not the only provider of certificates out there. There are others and if individuals demand the ability to work with crypto (as they will) someone will provide the service.

    Thawte is not Microsoft. They cannot strongarm other businesses, let alone individuals, into working just how they see fit. There's no chance for Thawte to rule the world.

    So before everyone gets all up in arms realize that all you have to do to correct the situation is not use Thawte for anything until they reverse their stance or simply use another certificate provider. Write a nice email and let them know why you don't agree with them and move on. This isn't a crisis...

    --
    Of course we torture people, we need the information --Gen. Pinochet
    1. Re:Wait a second... by Insount · · Score: 5, Insightful
      To get your code to run on popular browsers, you need a certiticate (key pair plus some data) issued by a certificate authority that is available in all popular browsers. Otherwise, your users will get security warning popups to the tune of:
      This applet is signed using a certificate that was issued by an untrusted certificate authority. Run anyway?
      As a developer, you can't afford that.

      Thawte is one of the few certificate authorities that are in the default installation of all popular browsers. VeriSign is another, and in fact I can't recall any other common CA that's catering to the general public.

      The upshot is that VeriSign, which now owns Thawte, has a monopoly on code signing certificates for browsers. They're giving the appearance of competition by selling "lucrative" certs under the VeriSign brand and "economy" certs under the Thawte brand, but technically it's the same product. This is why they can charge $200 for 1-year Thawte certificate, and more for a VeriSign cert, even though effort involved is trivial. It's just like things used to be with domain registration and Network Solutions (which VeriSign also owns now). I don't believe potential liability issues would prevent this price from dropping significantly in the presence of other players.

      Given this, the change in Thawte's policy is quite disturbing.

  3. Shame... by karot · · Score: 5, Insightful

    I think this is a real shame, and is probably originated by some badly informed member of Thawte-management.

    How do they plan on catering for the self-employed? What about small companies where the corporate and technical contacts are the same person? Why should an individual have any less right to certifying their code than a corporate?

    Of course it is up to Thawte who they sell their product to, but given the mind-set of people they are selling to (technical staff), this is not going to do them any favours.

    Generally Thawte are very forward thinking... Their "Web of Trust" model brings free X.509 email certificates to the masses by using a PGP-like trust model (extended through face-to-face authentication) on top of the CA signing model.

    --
    Enjoy Y2K? Roll-on Year 2037!
  4. Code signing is flawed by BlueWonder · · Score: 3, Insightful

    I my opinion, the concept of code signing is flawed. The user is tempted to think "this piece of code just loaded by my web browser is signed, so I can trust it."

    In fact, the signature only proves that the code really comes from a specific developer and has not been tampered with during transmission. It says absolutely nothing about the trustworthiness of the developer. So, as long as I don't know if I can trust the developer, the signature doesn't help.

  5. Get the story out! by ajs · · Score: 5, Insightful
    We need to get the story out to the media that strong crypto has been available to the masses for a long time, and can never be taken away. We need it to be understood that cryptographers are trying to make the world a better place by making private transactions more convinient, but that they've always been possible.

    Here are some first thoughts, if you end up talking to the media:
    • The strongest form of cryptography was invented in the 19th century and does not require a computer (XOR against one-time-pad), though computers certainly make it faster.
    • Cryptography technology that is available for free to the general public is very sophisticated. Weakening the cryptography available to shoppers on the Internet will not prevent the best and strongest software being used by "bad guys".
    • Stunting the public's ability to encrypt will hurt everyone from dissedents in oppressive countries to Internet retail companies to international corporations.
    It's time to fight back in the war of words. Make this "Internet shopper" vs. "public ignorance". Make it "my credit card for sale". Public opinion is carried on sound bites, so let's get some!
  6. Re:Well, first of all by BlueWonder · · Score: 2, Insightful

    People tend to believe that if they trust Thawte, they can trust code signed with a Thawte-certified key. This is of course not true, because trust is not transitive.

    My guess is that Thawte wants to ensure only trustworthy people/companies get Thawte certificates, and apparently they think that companies are always trustworthy, while individuals are not.

  7. Not a completely un-sensible decision by imrdkl · · Score: 3, Insightful
    For Thawte to decide not to trust individual developers for code-signing makes sense, right now. Code-signing authority is possibly the strongest authority that can be purchased from a public CA. And just because a bit of code is signed by a certificate issued by Thawte, doesn't mean that I'm gonna run it anyways. Otoh, Thawte continues to issue code-signing certs to a companies, which is the context from where most signed code is downloaded/installed and run.

    I really doubt that much signed code is distributed with authority from certificates issued to individuals. Chill out. They will lose some money, and I'm sure Thawte doesn't like that, but crypto is not going away.

  8. verisign always charged double... by portal9 · · Score: 2, Insightful

    so now verisign can take more from the individual.. once verisign bought thawte, they wanted to raise the prices.. but couldn't.. this is a way that they can.

  9. ok, let's try to write down some strategies by kipple · · Score: 4, Insightful
    I'm throwing in some thoughts of things that can be done on a worldwide scale or at least independently from the country you live in:

    1. letters to newspapers. this can be the first, lowest-effort thing to do. the net is full of good examples of how crypto is good, first of all the writings of Phil Zimmermann, that could be at least inspiring. here's the link and a quote:

    "You don't have to distrust the government to want to use cryptography. Your business can be wiretapped by business rivals, organized crime, or foreign governments. Several foreign governments, for example, admit to using their signals intelligence against companies from other countries to give their own corporations a competitive edge. Ironically, the United States government's restrictions on cryptography in the 1990's have weakened U.S. corporate defenses against foreign intelligence and organized crime."
    2. for those of you who have good capabilities/reputation, start spreading the word. Not only among your friends (no matter how commputer-illiterate they are, public opinion is independent from tech skills, unfortunately), but also at work.
    3. the main goal is to make the idea of 'banning crypto can make more damage to your business than give benefits to the country' reach the higher levels. letters to newspapers will perhaps lighten a few minds, but enlighten a CEO of a multinational or a big company will help things better. It may seem unreal, but if you think that anyone in the world is just seven hops away, why don't try it? Never underestimate the power of coffee-break gossiping.
    4. all the 'geeks' and technician all over the world have a great power over "regular user". When a techie or a sysadmin talks, everybody is listening. Make good use of it. Be responsible, and be clear. Make people think. 5. talk to newspaper writers, friends working for the media, whoever you think can spread the world.
    6. wait
    7. repeat
    8. listen to other ideas and possibly invite your "opponent" to post it somewhere, to publish it, basically don't treat who does not agree with you as a stupid.

    that's what I'm doing with my friends, parents, et cetera. I'm posting opinions on public forums in newspapers, and although I cannot see an immediate feedback, I'm positive about it.

    Just my .2Euros :)

    --
    -- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)