Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Protects The World From Crypto

Posted by timothy on from the strange-goings-on dept.

nutsaq writes: "Thawte.com, a South African Certificate Authority, in a move of astonishing wrong-headedness, has inexplicably changed it's developer certificate policy. To quote from the site: 'Due to current world circumstances developer certificates can no longer be issued to individuals.'Sucks to be working with crypto these days. Apparently I'll get no help from Thawte to encrypt stuff, oh wait, I didn't need it, the browsers did."

4 of 179 comments (clear)

  1. Wait a second... by weez75 · · Score: 5, Insightful

    Before we claim another atrocity forced upon the "little guy" let's take a look at the situation. Thawte is not the only provider of certificates out there. There are others and if individuals demand the ability to work with crypto (as they will) someone will provide the service.

    Thawte is not Microsoft. They cannot strongarm other businesses, let alone individuals, into working just how they see fit. There's no chance for Thawte to rule the world.

    So before everyone gets all up in arms realize that all you have to do to correct the situation is not use Thawte for anything until they reverse their stance or simply use another certificate provider. Write a nice email and let them know why you don't agree with them and move on. This isn't a crisis...

    --
    Of course we torture people, we need the information --Gen. Pinochet
    1. Re:Wait a second... by Insount · · Score: 5, Insightful
      To get your code to run on popular browsers, you need a certiticate (key pair plus some data) issued by a certificate authority that is available in all popular browsers. Otherwise, your users will get security warning popups to the tune of:
      This applet is signed using a certificate that was issued by an untrusted certificate authority. Run anyway?
      As a developer, you can't afford that.

      Thawte is one of the few certificate authorities that are in the default installation of all popular browsers. VeriSign is another, and in fact I can't recall any other common CA that's catering to the general public.

      The upshot is that VeriSign, which now owns Thawte, has a monopoly on code signing certificates for browsers. They're giving the appearance of competition by selling "lucrative" certs under the VeriSign brand and "economy" certs under the Thawte brand, but technically it's the same product. This is why they can charge $200 for 1-year Thawte certificate, and more for a VeriSign cert, even though effort involved is trivial. It's just like things used to be with domain registration and Network Solutions (which VeriSign also owns now). I don't believe potential liability issues would prevent this price from dropping significantly in the presence of other players.

      Given this, the change in Thawte's policy is quite disturbing.

  2. Shame... by karot · · Score: 5, Insightful

    I think this is a real shame, and is probably originated by some badly informed member of Thawte-management.

    How do they plan on catering for the self-employed? What about small companies where the corporate and technical contacts are the same person? Why should an individual have any less right to certifying their code than a corporate?

    Of course it is up to Thawte who they sell their product to, but given the mind-set of people they are selling to (technical staff), this is not going to do them any favours.

    Generally Thawte are very forward thinking... Their "Web of Trust" model brings free X.509 email certificates to the masses by using a PGP-like trust model (extended through face-to-face authentication) on top of the CA signing model.

    --
    Enjoy Y2K? Roll-on Year 2037!
  3. Get the story out! by ajs · · Score: 5, Insightful
    We need to get the story out to the media that strong crypto has been available to the masses for a long time, and can never be taken away. We need it to be understood that cryptographers are trying to make the world a better place by making private transactions more convinient, but that they've always been possible.

    Here are some first thoughts, if you end up talking to the media:
    • The strongest form of cryptography was invented in the 19th century and does not require a computer (XOR against one-time-pad), though computers certainly make it faster.
    • Cryptography technology that is available for free to the general public is very sophisticated. Weakening the cryptography available to shoppers on the Internet will not prevent the best and strongest software being used by "bad guys".
    • Stunting the public's ability to encrypt will hurt everyone from dissedents in oppressive countries to Internet retail companies to international corporations.
    It's time to fight back in the war of words. Make this "Internet shopper" vs. "public ignorance". Make it "my credit card for sale". Public opinion is carried on sound bites, so let's get some!