Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Will End "Web of Trust" On November 16

Posted by kdawson on from the fencing-of-the-commons dept.

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

4 of 127 comments (clear)

  1. Re:Providing free certificates by Anonymous Coward · · Score: 4, Informative

    www.cacert.org has an alternative web of trust that issues both client and server certs.

  2. Re:Should have stuck with PGP/GPG by Anonymous Coward · · Score: 5, Informative

    You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

  3. Re:Should have stuck with PGP/GPG by buchner.johannes · · Score: 5, Informative

    You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

    GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

    --
    NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 4, Informative
    O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

    The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...