Thawte Will End "Web of Trust" On November 16

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

Re:Providing free certificates

www.cacert.org has an alternative web of trust that issues both client and server certs.

Re:Should have stuck with PGP/GPG

You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

Re:Should have stuck with PGP/GPG

[buchner.johannes]

You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

Re:You didn't expect this? Really want to help?

[ArsenneLupin]

O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...

Re:Sad by understandable

[storem]

I'm a WOT Notary myself since 2002.

<rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>

I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.

Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.

I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.

<product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>

More info from Thawte's Wikipedia page:

Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.

Re:Providing free certificates

[Lincolnshire+Poacher]

> Whats the path to getting the root cert in popular browsers?

The path is long and strewn with rocks:

https://bugzilla.mozilla.org/show_bug.cgi?id=215243

Re:Sad by understandable

[Lennie]

Their is also a StartCom/StartSSL WOT, their free SSL-certs root cert recently got on the Microsoft list, although the update was still optional last time I looked.

https://blog.startcom.org/?p=205

*NOT* Related to "Web of Trust" Web Safety Add-on

[the+JoshMeister]

Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.

Web of Trust is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor and Symantec's Norton Safe Web (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.

I hope that clears up any potential confusion.