Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thawte Will End "Web of Trust" On November 16

Posted by kdawson on from the fencing-of-the-commons dept.

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

13 of 127 comments (clear)

  1. I knew it! by Rantastic · · Score: 4, Funny

    I knew I should not have trusted them and their web!

    --
    Ask Slashdot: Where bad ideas meet poor googling skills.
  2. Sad by understandable by chamilto0516 · · Score: 5, Insightful

    This saddens me but I understand it. Adoption of PKI for email in this multi-standard, multi-client fashion was just too difficult for the average email user. Yes, I usually have one or two accounts for secure messaging and I do use Thawte (I am a Notary) but it just doesn't work for most unless there is someone to walk them through. As much as I am aggravated by Lotus Notes, they self contained system (part of my aggravation) was able to pull this off 10 years ago and is still really the only app that I have seen do PKI well. Unfortunately it doesn't do a lot of other things very well.

    --
    Magic Eight Ball: Outlook not so good., Hmmm, how about Excel and Word?
    1. Re:Sad by understandable by Joiseybill · · Score: 4, Interesting

      Notary here too.
      I didn't see any notification yet, so I'm not sure if this is true.

      If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
      I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.

      If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.

      PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.

  3. Should have stuck with PGP/GPG by argent · · Score: 4, Insightful

    Don't forget where the "web of trust" came from.

    1. Re:Should have stuck with PGP/GPG by Anonymous Coward · · Score: 5, Informative

      You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.

    2. Re:Should have stuck with PGP/GPG by buchner.johannes · · Score: 5, Informative

      You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.

      GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. You didn't expect this? Really want to help? by Uzik2 · · Score: 5, Insightful

    What were you thinking?
    If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

    --
    -- Programming with boost is like building a house with lego. It's a cool but I wouldn't want to live in it
    1. Re:You didn't expect this? Really want to help? by nedlohs · · Score: 4, Insightful

      No he means what he says, encryption.

      If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.

      If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.

      Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.

    2. Re:You didn't expect this? Really want to help? by ArsenneLupin · · Score: 4, Informative
      O, and some sites (such as facebook or hotmail) only use https for the form submission, but not for the template. Theoretically this is secure (because it's the submission of login data that you want to protect, not the mask that is displayed on screen), but in practice it means that neither of the usual tell-tale signs (green/blue bar, https, lock icon) will be present.

      The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...

  5. Re:Providing free certificates by Anonymous Coward · · Score: 4, Informative

    www.cacert.org has an alternative web of trust that issues both client and server certs.

  6. WoT by smoker2 · · Score: 4, Interesting

    I was a member of the WoT back in '99. It took several weeks (nearly a month) to find accessible notaries, and their method of meeting was suspect to say the least. For one I had to travel 30 miles to another town and meet in a supermarket car park. After I got my cert. no-one I sent signed messages to knew how to handle it - encryption was pointless. I let it lapse after about a year, and haven't bothered since.

    Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.

  7. How unexpected... by Admiralbumblebee · · Score: 5, Funny

    I never thawte this would happen.

  8. Facebook Friends by muckracer · · Score: 5, Interesting

    Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.