Thawte Will End "Web of Trust" On November 16 127
An anonymous reader writes "Thawte is ending their Web of Trust, including their free Personal Email Certificates, in less than 2 weeks' time. This hasn't been picked up by the media yet. Seems to me a lot of people, including myself, are hurt by this." Thawte is offering a 1-year free VeriSign cert to those holding valid Personal Email Certificates; after that you pay.
I knew it! (Score:5, Funny)
Sad by understandable (Score:5, Insightful)
Re:Sad by understandable (Score:5, Interesting)
Notary here too.
I didn't see any notification yet, so I'm not sure if this is true.
If it is, then I won't need to worry about those pesky " check ID" and "keep paperwork on file for 5 years" rules.
I wonder if I can get my notary fees back.. I paid them since I couldn't find any other Notaries in my area.
If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.
PS - in addition to Lotus Notes, I've done a fair job with Novell GroupWise and individual Eudora and T-Bird clients as far as certificate management for the masses. At one point, (obviously a while back with Eudora) I had nearly three dozen non-IT folks using this appropriately to sign and verify their inter-office email. That 'trial' lasted about two weeks, and many still ask me to renew their certificates annually.
Re: (Score:2)
If this really is true, I might not be opposed to giving away 30 points to anyone that seems reasonable enough. If we get another few notaries on board, maybe we can register a couple thousand slashdotters in the next few weeks - so at least they all get free VeriSign email certs.
I've been meaning to get my identity validated for the web of trust for years, and never quite gotten around to it. I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history on /., USENET, blog posts, etc.
Re: (Score:2)
> I'm interested if you want to drop me an e-mail, and I think I can prove my identity adequately on-line, through my long history
I suspect there's a funny Nigerian spammer spoof for this (with the "all caps" and other fun stuff).
But I'm too lazy at the moment to try. Anyone willing to give it a go?
Re:Sad by understandable (Score:4, Informative)
<rant>To be very blunt, Thawte went downhill ever since VeriSign took over. I'm sure things would be different with Mark Shuttleworth still heading the company.</rant>
I also did not receive any official information from Thawte yet about this. I guess they figured we read today's Internet newspapers anyway.
Many of us Thawte WOT Notaries became CAcert ECCP Assurers during the last couple of years. While CAcert.org is a community-driven certificate authority that issues free public key certificates to the public, it still lacks inclusion of its root certificate in most popular browsers. I do however strongly think there is a need for this kind of service, as no communication is ever going to be really safe unless we all use encryption. It is way to easy to spot the important emails nowadays.
I'm must also admit that less people are interested by the technology - and WOT notaries assert less people each year - mainly due to the complexity of PKI implementations in popular email packages.
<product_placement>I hope efforts like the Comodo/DigitalPersona Privacy Manager product to make it easier for people to use PKI, revive the identity security awareness with people.</product_placement>
More info from Thawte's Wikipedia page:
Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognize their former status as a Thawte Web of Trust Notary. The Thawte Notary EOL List on GSWoT will die in one year's time - on November 16, 2010.
Re: (Score:3, Informative)
https://blog.startcom.org/?p=205
Re: (Score:2)
I've been using them for my personal site for several months. Once you figure out how to get it set up correctly, it works just fine with Safari and FireFox. And, of course, the number of MSIE users on my personal site is so close to zero that it amounts to a rounding error. :-D
Re: (Score:2)
Re: (Score:3, Insightful)
Yeah, the concept itself was a bit difficult for a lot of people to grasp but their website also really sucked. It hadn't been updated in years and you had to navigate through that ridiculous hierarchical system instead of being able to just "find nota
Providing free certificates (Score:4, Funny)
Re: (Score:1, Funny)
Can some other trusted company, like Google, step in?
I honestly can't tell if this was supposed to be funny or not.
Re:Providing free certificates (Score:4, Insightful)
I trust myself, but how can I trust another company?
Re:Providing free certificates (Score:4, Informative)
www.cacert.org has an alternative web of trust that issues both client and server certs.
Re: (Score:2)
What now?
Re: (Score:3, Interesting)
Re: (Score:2)
Requires the receiver to import their root certificate, though.
But how would a receiver who is a home user know to import cacert.org's root certificate and not a phisher's root certificate?
Re: (Score:2)
Whats the path to getting the root cert in popular browsers?
I really don't know how that works. Does Mozilla just decide?
Re: (Score:3, Informative)
> Whats the path to getting the root cert in popular browsers?
The path is long and strewn with rocks:
https://bugzilla.mozilla.org/show_bug.cgi?id=215243 [mozilla.org]
Did not get any email (Score:2)
I did not get any email from Thawte about this issue. How do I get my token then?
Should have stuck with PGP/GPG (Score:5, Insightful)
Don't forget where the "web of trust" came from.
Re:Should have stuck with PGP/GPG (Score:4, Interesting)
The problem is that PGP/GPG certificates are too open. If you trust a few certificates, say for software support, then trust the certificates they trust pretty soon you end up trusting almost everyone. Even worse GPG (and maybe PGP) by default will try and download a certificate from a public server when encountering an unknown certificate. This makes it as easy to set up a trust certificate for a "throw away" email account as to create a throw-away account in the first place.
True if you follow the guidelines in the GPG manual, find a trusted friend, verify the fingerprint of their email by phone, both agree only to sign certificates where you have gone through the same process, you can set up a trusted web - but its not as easy as having someone verify it for you.
Re:Should have stuck with PGP/GPG (Score:5, Informative)
You're post is an example of how people don't understand PGP, not that there are any technical limitations. Looking in my enigmail key manager, I have a whole list of keys (automatically downloaded) that are not trusted. The few that I have verified are trusted. If someone signs "almost everyone's" keys and isn't trustworthy you don't trust them. If they are trustworthy, then you just made use of the web of trust.
Re: (Score:1)
Re:Should have stuck with PGP/GPG (Score:5, Informative)
You don't have to trust everyone in a Web of Trust that originated from you. It just tells you who trusts that person. What you do with that information is up to you. Also, there are several levels of trust. You don't have to sign anyones key, just the ones you met.
GPG is right to download the public key from a server, because that tells you nothing about how much you trust that person. If it would set that person automatically to fully trusted, that'd be a different story.
Re: (Score:2)
If you think thawte and/or verisign actually do anything to verify anything (other than that the persons credit card works) you are a fool.
Re: (Score:2)
The problem that you describe would be, that stating that a human should do something, and then expecting him to always do it, is a giant fallacy. And a very stupid one to expect, if you ever saw a real human. ^^
The rule is: If someone can do something wrong or the bad way, someone will. No exceptions.
And that's why those guidelines just useless dreams with no relation to physical reality.
Done right, you would have to set up a system where nothing is possible, except for the things you absolutely need, to a
Re: (Score:2)
It's an authority and leadership problem. The thing the email cert dealers miss out on, in my opinion is the sale
Re: (Score:2)
Apple mail has built in PKCS7 support, I don't even care to mention pro apps like Outlook/Entoruage/Blacberry.
Where is PGP except that expensive commercial client which tries to do too much? If people used Thawte cert, they went for "easy and built in way", can you blame them? If PGP free version with that kind of compatibility, mail plugin was still alive and kicking, you could blame people for not sticking with PGP. All we see is some open source stuff not promising any kind of stability and support over
Re: (Score:2)
Where is PGP except that expensive commercial client which tries to do too much?
I shouldn't have to google things like this for you. [sente.ch]
Re: (Score:2)
You shouldn't google for that at all. I know GNUPG and its support for OS X Mail. Can you claim it is easily installed, used like commercial PGP? Can you trust Apple to stick with a God damn stable plugin API and don't break it in each OS update? Can you imagine Freeware/open source authors/packagers have some juicy Apple developer accounts to see what is coming?
Growlmail plugin, a basic plugin which has nothing to do with security/privacy like PGP had to move to mach_inject method instead of mail plugin. W
Re: (Score:2)
Honestly, the best email client I have ever used respecting PKI was Thunderbird with Enigmail on Linux.
I've tried to duplicate this success on my laptop with Vista, but enigmail sucks balls and just flat out doesn't work right.
We really need a good, OSS cross platform email client that supports GPG.
Re: (Score:2)
Claws Mail?
Re: (Score:2)
We really need a good, OSS cross platform email client that supports GPG.
Use Gmail on Firefox with the FireGPG extension installed.
Re: (Score:2)
You do know that PGP came before S/MIME, right?
Re: (Score:2)
The standard did not get created because PGP was a "hack", it was created because of the legal issues surrounding PGP and Phil Zimmerman. Those issues should have been addressed explicitly, instead of creating a standard that depends on an expensive infrastructure that keeps it from being adopted by hoi polloi.
It's Just That (Score:2, Funny)
Re: (Score:3, Funny)
You didn't expect this? Really want to help? (Score:5, Insightful)
What were you thinking?
If you really want to do something worthwhile campaign the browser makers to change their browsers. The whole "encryption = authentication" idea is stupid and wrong. The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.
Re: (Score:2)
You are confused. Perhaps you mean authentication != certification?
Certification is something that CA's should do (that's what you trust them to do). Some don't. That's why the broken idea of EV certificates came about.
Re: (Score:2)
No, he meant exactly what he said. As far as he went, he's correct. Putting up scary warnings when all that is required is an encrypted connection is silly.
But the process actually goes a step further, and you need to know what you are connected to who you think you are, which is the purpose of the scary warnings. It's very seldom that you need to just encrypt the connection without worrying about man-in-the-middle attacks.
I'm starting with the man in the middle (Score:3, Interesting)
Putting up scary warnings when all that is required is an encrypted connection is silly.
Without some sort of authentication, you don't know that a man in the middle isn't proxying and decrypting your encrypted connection. These man in the middle attacks are happening [mozilla.org]. Self-signed certs are good for verifying that the proxy hasn't been added between connections, but that doesn't help if you've got a proxy and have always had it.
Re: (Score:2)
If browsers _also_ did the SSH thing where they warn you if the cert has changed from the expected I'd be happy, and the OP would be happy - on his first visit to the site, he might choose to take the risk and say "accept this", and the browser will warn him if it changes in the future.
After all, he could choo
Re: (Score:2)
Authentication is great. But given that the alternative -- no encryption and no authentication -- allows passive sniffing, MitM, and a whole slew of other attacks, but does *not* include a warning makes it seem awfully silly to warn extensively about a connection that is *only* vulnerable to MitM attacks.
I agree that authenticated connections should be treated differently than unauthenticated connections. But I don't see why an increase in security to unauthenticated encryption is treated worse than totally
Re:You didn't expect this? Really want to help? (Score:5, Insightful)
No he means what he says, encryption.
If I'm buying stuff then yes some authentication/certification that I'm actually giving my credit card details to the company I think I am is a good thing.
If I am entering my password for a shitty forum web site, then having the session encrypted is nice to have. I don't really care about man-in-the-middle attacks since the alternative is no encryption at all.
Sometimes partial coverage is good enough. But web browsers make it appear that an encrypted connection without authentication is worse than an unencrypted connection without authentication by throwing up scary warnings about evil hackers.
Re: (Score:1, Informative)
For repeat customers, accepting a self signed certificate the first time would work fine. The certificate ensures that I'm connected to the site I think I am.
But for all the sites I haven't shopped before, a certificate doesn't improve anything. The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know. But can I trust the site I'm connected to? That's the problem. I don't know. And the certificate won't h
Re: (Score:2)
The certificate confirms that I'm connected to a site I don't know (since I haven't been there before), and I'm expecting to be connected to a site I don't know.
It not only confirms to you that you are connect to a site that you don't know, but to this particular site that you don't know. Which means that if something untowards happen, you now know that site a little bit better :-)
But can I trust the site I'm connected to?
This is a common misunderstanding about the purpose of certificates. Certificates don't help you trust the entities that you are doing business with. They only help you trust that you are talking to who you think your are talking.
A certification agencies job is not to assess the financia
Re: (Score:2)
Unless the certifying authority is located physically near to the entity it is ment to be certifying there isn't really much they can do. e.g. entity in India is of little practical use if you want to know about a business anywhere other t
Re: (Score:2)
Or if you think that would be too annoying, any form that includes a password field?
Exactly! And even better: have a user-maintainable white list of sites that have an unencrypted password field (so that you aren't bothered with noisy warnings whenever you log in to your favorite low-security chat site).
In order to avoid attacks against redirection, key the white list on both the form submission URL and the last URL entered by the user (through address bar or bookmark).
Re: (Score:2)
Re:You didn't expect this? Really want to help? (Score:4, Interesting)
The whole "encryption = authentication" idea is stupid and wrong.
Well in many cases, encryption is used to transmit authentication tokens of some kinds (passwords, credit card numbers...). And certificates are needed to make sure nobody plays man in the middle...
The scary warnings when someone wants to encrypt the traffic between you and their website using their own certificate is commercialism at it's worst.
Indeed. Warnings are needlessly scary, because non-certified SSL is still more secure than no SSL at all (non-certified SSL at least protects against passive listeners).
So, in all logic the warnings should even be more scary for the plain unencrypted http case.
Indeed, nowadays, the smart men-in-the-middle just redirect the hijacked connection to a http page, and doesn't bother with https, because most users won't notice the missing s in the address bar anyways...
Re: (Score:2)
Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity, and all browsers show a "lock" symbol, and most people I know expect them in banks other important websites.
Re: (Score:3, Interesting)
Missing s? I don't about yours, but Firefox show a green bar before the URL with the name of the entity,
Mine shows a very short blue bar.
all browsers show a "lock" symbol
Yes, a small lock icon in the lower right corner.
most people I know expect them in banks other important websites.
So geeks (and their friends...) know about these. But most others don't, and wouldn't notice without anybody drawing attention to it.
Compare this now with the very noisy warnings that you get when trying to access a site with a bad certificate. Any man-in-the-middle worth his salt is going to opt for the missing lock icon rather than the very obnoxious "add exception" page of Firefox.
Re:You didn't expect this? Really want to help? (Score:5, Informative)
The only way to see whether the form is secure or not is then to view source and check whether the form action has https or not. I don't really believe that grandma is going to bother...
Re: (Score:2)
So, in all logic the warnings should even be more scary for the plain unencrypted http case.
There are also situations where warnings are not generated when they should be. e.g. a signed certificate changing.
Re: (Score:2)
I agree. I'm not down on encryption, there should be more encryption, just negative about the way it's been handled by the browsers. Trust is, to me, more than just a certification by some company that is only concerned about making money and cares not a bit for me.
Re:You didn't expect this? Really want to help? (Score:4, Insightful)
Encryption without authentication is stupid and wrong too.
The scary warnings are there to make sure that you are not luled to false safety because man in middle attacks can work just fine with encryption as long as you trust their certificate.
Talking securely to someone is implied by fact that you really know who you are talking to.
Re: (Score:2)
No more wrong than plaintext without authentication.
Hey dude, we get it: we want authentication. Sometimes we even need it. But that's a totally separate issue from encryption.
Encryption with a MitM has an active spy. Plaintext has an infinite number of passive spies. One of these two situations is better than the other.
Re: (Score:2)
So, who can sniff your traffic, who doesn't already own the network you're traveling through?
Some attacks on switches (ARP spoofing, ARP table flooding) would allow passive spying, but no reliable interception. This is because such an attack duplicates switch traffic to both the intended target and the attacker. If the attacker intercepted, rather than just passively listed, it might become obvious that the client is suddenly getting to replies to each packet, and it might start acting strange (dropping connections, etc.)
Also, some physical taps (picking up the elecromagnetic fields outside of a c
Re: (Score:2)
Huh? A->B does not mean B->A. Knowing who you talk to doesn't imply it is secure. The two can be separated out quite clearly - obvious real-world examples being "talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).
Re: (Score:2)
"talking in a crowded room to a friend" (authentication without security) and "whispering to someone you've just met" (not the greatest example, but it should be fairly secure even if you don't have a clue who the hell they are).
It's not about the security of your communication partner, but about security of the communication medium.
Try "passing notes in a classroom":
Re: (Score:2)
Depending on which angle you're looking at the communication from, I agree with what you're saying. The thing is that most of those examples are the wrong way around for HTTPS (which is what we'd strayed towards as an example). In those analogies HTTPS is more like *makes random example* the person you're passing the note to sending you a padlocked box first and they've signed it in permanent marker. You know you've got something secure to send your response and you know it is from them because it has their
Re: (Score:2)
Thanks.
Re: (Score:2)
But it is stupid that we have scary warnings for encrypted, not authenticated traffic, but unencrypted, not authenticated websites have no warnings.
It makes HTTP look more secure than HTTPS. Encrypted, not authenticated/verified HTTPS is as secure as HTTP.
Re: (Score:2)
So there should be a warning whenever anybody does anything unencrypted?
There's an argument to be made that everything on the web should be encrypted.... but it's a tough sell considering the installed base of files on the web.
So, if some stuff is encrypted, and some stuff isn't, how do you decide what unencrypted sites to warn on? Just when submitting information? We already have a warning for that.... although I guess that could be sterner... hrm.
Re: (Score:2)
>Encrypted, not authenticated/verified HTTPS is as secure as HTTP.
I can't agree. Encryption is always a bonus as far as I can see. It provides you with some degree of protection from packet sniffing. It might not provide much else for a sophisticated attacker, but at least you have that much.
Disappointing. However, this is still the year (Score:2, Funny)
of personal digital certificates on the Linux desktop, over IPv6.
WoT (Score:5, Interesting)
Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.
Re: (Score:2, Interesting)
Unfortunately, unless the govt. mandates personal electronic signatures, it ain't going to happen. And no-one will want to use it under govt. mandate anyway. This stuff is geek only territory.
I respectfully disagree. Google could easily add PK security to gmail, initially as a new feature that works only with other google accounts, and this would increase pressure for other email providers to adopt the standard.
Re: (Score:3, Insightful)
I disagree. Google cannot do this unless they change the way gmail works. I will not let them touch my private key lest I end up not trusting my own private key. You can say they can then kinda leave it on your PC and access it with client side JS, but then you sit again with the problem that it becomes hard to manage and understand by the masses.
Re: (Score:2)
OK, so you don't give Google *THE* private key you use, but what if you allow GMail to generate a different private key for you with which it signs/encrypts emails? That would be more secure than nothing at all, though of course it depends on Google's security. If Google were geeky enough, it could allow you to prove your identity to it with your private key (or other method), and then tell your email recipients that they at least are satisfied that you are who you say you are.
The key thing is that it get
Re: (Score:2)
Same here. Was quite a process... had to drive around a lot and meet weird people. After that it was denied by the same government that had an official policy to accept it. And my bank preferred even a plain e-mail over it.
No one had a clue what to do with it.
The only thing I used it for was for secure e-mail... pah... could just as well stooped to PGP then.
Me.
Re: (Score:2)
Well, in Germany, electronic signatures issued by your bank are valid signatures for contracts and the like. So you can actually sign an e-mail, send it to a government office, and they have to accept it as if it were a physical letter with signature.
Of course, if you really try that, they will fail, and if you're lucky ask you what that was, instead of ignoring it as an "error". But you *can* sue to enforce it being accepted. But you would have to actually sue. Because they would ignore or not believe that
How unexpected... (Score:5, Funny)
Re: (Score:3, Funny)
Will the freeware java developers effected? (Score:3, Interesting)
I have seen many Java signed opensource/freeware coming with that Thawte free mail certificate. I hope they won't be effected with it and if brain dead Sun offers some kind of special treatment to those, it won't be any matter.
Of course, it is Sun we talk about and even Oracle couldn't still change anything.
90% of reason Thawte brand was known among professional users was "Thawte free certificate" which was supported perfectly by mail clients. Thawte has no clue what kind of harm they did to brand value/recognition to save couple of CPU cycles and couple of gigabytes.
People thinking GNU PG or free PGP will be implemented by those: No, they will simply move to another way of pkcs signing their mails or buy commercial PGP.
Re: (Score:2)
<italian mafia accent>Umm... about your subject:
Need a bag of English? We've got some on sale. With nice words like "be" and "affected". We even have a special today, where we include a whole capital letter "J" for free!
Only $5! Beautiful fonts! Nice kerning! Buy now, before it's too late!
</italian mafia accent>
In order to end their "Web of Trust"... (Score:2)
...they would first have to start one. Since Thawte is part of Verisign and Verisign is not worthy of trust...
Comodo? (Score:2)
Java WebStart, J2ME, Java applets (Score:4, Insightful)
One thing that a lot of people are ignoring is that Thawte FreeMail certs are used by a lot of small developers to publish Java apps, and this would kill off that ability quite quickly.
That said, I have not seen a word of this on the Thawte web site, which makes me wonder if the submitter is trying to perform a DoS on Thawte for some reason, and are tricking the slashdotters into being that DoS. The page linked takes an enormous amount of time to decide that there is nothing to return, meanwhile slashdotters are beating on the server over and over. Sorry for the OP, though. The rest of their site still seems to be just fine.
Re: (Score:2)
This is directly from the website [thawte.com]:
Hmm.. Can't find a definite reference (Score:2)
That's the second source that's telling me the Free e-mail certs/WOT program is coming to an end..
However, looking at http://www.thawte.com/ [thawte.com] doesn't reveal anything as such..
But I can't say I'm *that* surprised..
--Ivan
Facebook Friends (Score:5, Interesting)
Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow? Or at minimum a GPG key exchange requiring no further steps? There's gotta be a way! Firefox/Thunderbird Plugin that has access to all keys of your 'friends' and uses them automatically? Something like that.
Re: (Score:2)
Because that would be the complete opposite of how the web of trust is meant to work?
I mean the sole concept of putting "Facebook" and "Trust" in one sentence...! What were you thinking? ;)
Re: (Score:2)
"Since people are quite adamant about adding each other as 'friends' on social networking sites like Facebook etc., why can't something like the Web-of-Trust be riding along somehow?"
That's pretty much the entire concept behind the Cory Doctorow book "Little Brother". The Xnet is a secure free Facebook. It did require physical key-signing parties, and he pointed out how the whole network could still be rooted by infiltrators, but that's the idea.
Less than two weeks? (Score:2)
Let us not forget (Score:2)
Re: (Score:2)
As I understand it the paid certificates don't need a "web of trust" because verisign will verify your identity directly. The web of trust was just a way for them to save on administrative costs.
What about the calendar of trust? (Score:2)
You know, the one where November 16 is two weeks after October 6th.
We're My Email? (Score:2)
The last official email I've recieved from Thwate was a year ago when my certs expired. As to whether this is actually happening, I simply have to say it's a bogus message put out by someone who's got an axe to grind with Thwate. As to Verisign purchasing thwate 10 years ago, I wasn't aware of that as there was and is no information about such a purchase on their website, which is a critical piece of information that must be provided (of course I've not looked at their SEC filings to okay/deny).
Fake? (Score:2)
It seems the post has been removed at the moment... Was it a fake one?
I now get:
Article is unavailable or has been removed, please try a new search.
The article was not found, or is no longer available. Please try a new search..
So they're charging for it... (Score:3, Insightful)
$20/yr is not an onerous fee, big deal. I'm surprised it's gone free this long. If you really can't stand to pay for the service you're using, go to cacert.org.
re: "after that you pay" (Score:3)
Does this strategy sound familiar? It should... it's the same business strategy practiced by drug pushers: get 'em dependent and addicted, and then start demanding money. Make 'em an offer they can't refuse.
So is Thawte run by former drug pushers?
(Yes, I know the same question could be asked of Comcast and thousands of other companies. I'm singling Thawte out because of that word "trust" being involved here.)
Mail client support (Score:2)
Maybe now that Thawte is making email certification less useful (and more expensive), clients like Thunderbird and Mail.app will start to prefer GPG/PGP. That's all I can hope for anyway, since GPGMail for Mail.app is now broken under Snow Leopard for the foreseeable future.
*NOT* Related to "Web of Trust" Web Safety Add-on (Score:3, Informative)
Although I'm familiar with Thawte, I hadn't heard of its "Web of Trust" prior to this article. However, there's a popular browser add-on with the same name, so I thought I should point that out to avoid any confusion, especially since both products are related to Internet security in some way.
Web of Trust [mywot.com] is also the name of a Firefox and Internet Explorer plug-in from a company called WOT Services Ltd. (until recently known as Against Intuition Inc.). It helps protect users from harmful Web sites and puts safety rating badges in search results on Google, Bing, Yahoo!, and other search engines, similar to McAfee SiteAdvisor [siteadvisor.com] and Symantec's Norton Safe Web [norton.com] (although in my experience, WOT is much more effective). This completely unrelated Web of Trust is not being killed off.
I hope that clears up any potential confusion.
Re: (Score:3, Funny)
> People give up privacy and security every 10 seconds for a free hand job it seems.
Free hand job? Want my address? :-)
Re: (Score:2)
Free hand job? Want my address? :-)
Naah... but send me your bank details.
Re: (Score:2)
Re: (Score:2)
We already have a spec, S/MIME. But Google doesn't even support that, let alone make it easy to use with Gmail.
What if they cancel it too? (Score:2)
A company who would cancel such a basic service would cancel OpenID in no matter of time. As it is offered free, you wouldn't have anything to say against it.
I stick with Yahoo in OpenID department, not some "side project" which has "beta" written all over the place.