Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Will End "Web of Trust" On November 16

Posted by kdawson on from the fencing-of-the-commons dept.

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

6 of 127 comments (clear)

  1. Re:Sad by understandable by Joiseybill · · Score: 4, Interesting

    Notary here too.
    I didn't see any notification yet, so I'm not sure if this is true.

    If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
    I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.

    If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

    PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.

  2. Re:Should have stuck with PGP/GPG by Chrisq · · Score: 3, Interesting

    The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.

    True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.

  3. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 3, Interesting

    The whole "encryption = authentication" idea is stupid and wrong.

    Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...

    The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

    Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).

    So, in all logic the warnings should even be more scary for the plain unencrypted http case.

    Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...

  4. WoT by smoker2 · · Score: 4, Interesting

    I was a member of the WoT back in '99. It took several weeks (nearly a month) to find accessible notaries, and their method of meeting was suspect to say the least. For one I had to travel 30 miles to another town and meet in a supermarket car park. After I got my cert. no-one I sent signed messages to knew how to handle it - encryption was pointless. I let it lapse after about a year, and haven't bothered since.

    Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

  5. Re:Providing free certificates by martijno · · Score: 3, Interesting

    How about community driven efforts such as cacert.org? Requires the receiver to import their root certificate, though.

  6. Facebook Friends by muckracer · · Score: 5, Interesting

    Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.