Thawte Will End "Web of Trust" On November 16

An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.

Sad by understandable

[chamilto0516]

This saddens me but I understand it. Adoption of PKI for email in this multi-standard, multi-client fashion was just too difficult for the average email user. Yes, I usually have one or two accounts for secure messaging and I do use Thawte (I am a Notary) but it just doesn't work for most unless there is someone to walk them through. As much as I am aggravated by Lotus Notes, they self contained system (part of my aggravation) was able to pull this off 10 years ago and is still really the only app that I have seen do PKI well. Unfortunately it doesn't do a lot of other things very well.

Re:Providing free certificates

[Wowsers]

I trust myself, but how can I trust another company?

Should have stuck with PGP/GPG

[argent]

Don't forget where the "web of trust" came from.

You didn't expect this? Really want to help?

[Uzik2]

What were you thinking?
If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.

Re:You didn't expect this? Really want to help?

[zwei2stein]

Encryption without authentication is stupid and wrong too.

The scary warnings are there to make sure that you are not luled to false safety because man in middle attacks can work just fine with encryption as long as you trust their certificate.

Talking securely to someone is implied by fact that you really know who you are talking to.

Re:You didn't expect this? Really want to help?

[nedlohs]

No he means what he says, encryption.

If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.

If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.

Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.

Java WebStart, J2ME, Java applets

[Gollum]

One thing that a lot of people are ignoring is that Thawte FreeMail certs are used by a lot of small developers to publish Java apps, and this would kill off that ability quite quickly.

That said, I have not seen a word of this on the Thawte web site, which makes me wonder if the submitter is trying to perform a DoS on Thawte for some reason, and are tricking the slashdotters into being that DoS. The page linked takes an enormous amount of time to decide that there is nothing to return, meanwhile slashdotters are beating on the server over and over. Sorry for the OP, though. The rest of their site still seems to be just fine.

Re:Sad by understandable

[tobiasly]

Yes it sucks but I agree, none of us should really be surprised. Ever since Verisign bought Thawte I've been waiting for this to happen. I've been a notary in a fairly large metro area for years and can't remember the last time I was asked to notarize someone.

Yeah, the concept itself was a bit difficult for a lot of people to grasp but their website also really sucked. It hadn't been updated in years and you had to navigate through that ridiculous hierarchical system instead of being able to just "find notaries within 25 miles of me".

But really, email certs serve two purposes: sender verification and/or encryption (I guess proving an email wasn't tampered with could count as a third but it's really part of encryption). The first function is increasingly already being performed at the server level using SenderID/DomainKeys, and there are plenty of ways to accomplish the second if two parties so choose.

It's one of those things that probably would have been a great idea if it were baked into the email standard since inception, but was just too unwieldy to bolt-on later.

Re:WoT

[Domini]

I disagree. Google cannot do this unless they change the way gmail works. I will not let them touch my private key lest I end up not trusting my own private key. You can say they can then kinda leave it on your PC and access it with client side JS, but then you sit again with the problem that it becomes hard to manage and understand by the masses.

So they're charging for it...

[vanyel]

$20/yr is not an onerous fee, big deal. I'm surprised it's gone free this long. If you really can't stand to pay for the service you're using, go to cacert.org.