Thawte Will End "Web of Trust" On November 16 127
An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.
Re:Providing free certificates (Score:4, Informative)
www.cacert.org has an alternative web of trust that issues both client and server certs.
Re:Should have stuck with PGP/GPG (Score:5, Informative)
You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.
Re:You didn't expect this? Really want to help? (Score:1, Informative)
For repeat customers, accepting a self signed certificate the first time would work fine. The certificate ensures that I'm connected to the site I think I am.
But for all the sites I haven't shopped before, a certificate doesn't improve anything. The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know. But can I trust the site I'm connected to? That's the problem. I don't know. And the certificate won't help me a bit, it can only tell me that I am in fact connected to the site I don't know.
Re:Should have stuck with PGP/GPG (Score:5, Informative)
You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.
GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.
Re:You didn't expect this? Really want to help? (Score:5, Informative)
The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...
Re:Java WebStart, J2ME, Java applets (Score:1, Informative)
1. Why have you stopped offering thawte Personal Email Certificates?
Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.
2. What is Thawte going to do for customers with active Thawte Personal Email Certificates?
Customers with active Thawte® Personal Email Certificates will be given the option to enroll for a free one year VeriSign® Email Certificate.
3. Why are you revoking my Thawte Personal Email Certificate?
After 16 November 2009, the system that supports Thawte Personal Email Certificates will shut down and as a result, active email Certificates and enrollments of email Certificates will no longer be available.
4. When is Thawte going to revoke my Thawte Personal Email Certificate?
Your Thawte Personal Email Certificate will be revoked on 16 November 2009 on the same date that we stop offering Thawte Personal Email Certificates.
5. Does Thawte have an alternate product available to replace my active Thawte Personal Email Certificates?
Yes, Thawte is offering a free one-year VeriSign Email Certificate for each active Thawte Personal Email Certificate you own as of 24 September 2009.
6. How do I replace my Thawte Personal Email Certificate?
You may replace your Thawte Personal Email Certificate by redeeming the token that you received in the email from Thawte by 16 January 2010, and enrolling for your free one-year VeriSign Email Certificate at the link below:
Microsoft Internet Explorer Browsers: https://digitalid.verisign.com/client/class1MSToken.htm
Mozilla, Firefox, Netscape, or Apple Safari Browsers:
https://digitalid.verisign.com/client/class1NetscapeToken.htm
7. Will I be required to provide any documentation in order to request my replacement VeriSign Email Certificate?
No documents will be required when you request a replacement VeriSign Email Certificate.
8. Up until what date can I request my replacement VeriSign Email Certificate?
Requests for replacement VeriSign Email Certificates must be submitted by 16 January 2010.
9. When should I request my replacement VeriSign Email Certificate?
Thawte recommends that you replace your Thawte Personal Email Certificate as soon as possible to allow you sufficient time to install and test your new VeriSign Email Certificate. In any event, the last day to request a free replacement Certificate is 16 January 2010.
10.How do I renew my Thawte Personal Email Certificate?
Thawte Personal Email Certificates may not be renewed. Instead, you received a token in an email from Thawte, which may be used for a free one-year VeriSign Email Certificate. You may redeem your token and enroll for the Certificate at the link below:
Microsoft Internet Explorer Browsers: https://digitalid.verisign.com/client/class1MSToken.htm
Mozilla, Firefox, Netscape, or Apple Safari Browsers:
https://digitalid.verisign.com/client/class1NetscapeToken.htm
11. Can I revoke my Thawte Personal Email Certificate before Thawte stop offering Thawte Personal Email Certificates?
Yes, you may revoke your Thawte Personal Email Certificate before 16 November 2009 by logging into your portal at:
http://www.thawte.com/secure-email/personal-email-certificates/index.html?click=main-nav-products-email and selecting
1. Certificates
2. Revoke a Certificate
12. Will Thawte offer refunds for revoked Thawte Personal Email Certificates?
Thawte is offering a free one-year
Re:Sad by understandable (Score:4, Informative)
<rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>
I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.
Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.
I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.
<product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>
More info from Thawte's Wikipedia page:
Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.
Re:Providing free certificates (Score:3, Informative)
> Whats the path to getting the root cert in popular browsers?
The path is long and strewn with rocks:
https://bugzilla.mozilla.org/show_bug.cgi?id=215243 [mozilla.org]
Re:Sad by understandable (Score:3, Informative)
https://blog.startcom.org/?p=205
*NOT* Related to "Web of Trust" Web Safety Add-on (Score:3, Informative)
Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.
Web of Trust [mywot.com] is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor [siteadvisor.com] and Symantec's Norton Safe Web [norton.com] (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.
I hope that clears up any potential confusion.