Thawte trust points for your name in your cert?
January 3, 2006 10:10 AM Subscribe
Is providing 'identifying documentation' to someone to earn Thawte 'Trust Points' asking for identity theft, or am I just paranoid?
I found a local representative for Thawte's 'Web of Trust' who says he will take two 'different, nationally recognized forms of photo identification' (passport and drivers license), 'verify' them, and login to thawte.com to assign me 'trust points'. Notaries (Thawte's term) can assign between 10 and 35 points depending upon their previous experience.
Part of his email back to me:
"The procedure is described at https://www.thawte.com/wot/procedures.html. Basically, it involves setting up an appointment for us to meet and for me to verify your identifying documentation. This has to be a face-to-face meeting and you should come with both the original documents and a copy that you leave with me, which I have to keep for 5 years. Once I've verified your documentation, I notify Thawte and you'll be awarded 35 Trust Points towards your required total."
This guy has an email address at a local company, and his phone number passes the reverse-lookup test.
Am I being paranoid about providing this information? I mean, I know they have to verify against /something/ that I provide, but the whole 'keep it for 5 years' thing feels a little creepy.
I found a local representative for Thawte's 'Web of Trust' who says he will take two 'different, nationally recognized forms of photo identification' (passport and drivers license), 'verify' them, and login to thawte.com to assign me 'trust points'. Notaries (Thawte's term) can assign between 10 and 35 points depending upon their previous experience.
Part of his email back to me:
"The procedure is described at https://www.thawte.com/wot/procedures.html. Basically, it involves setting up an appointment for us to meet and for me to verify your identifying documentation. This has to be a face-to-face meeting and you should come with both the original documents and a copy that you leave with me, which I have to keep for 5 years. Once I've verified your documentation, I notify Thawte and you'll be awarded 35 Trust Points towards your required total."
This guy has an email address at a local company, and his phone number passes the reverse-lookup test.
Am I being paranoid about providing this information? I mean, I know they have to verify against /something/ that I provide, but the whole 'keep it for 5 years' thing feels a little creepy.
Note, togdon, that this is a free service that Thawte provides.
Ah, so this is for a personal certificate, for email? If that's the case why not go the GPG/PGP route?
posted by togdon at 10:36 AM on January 3, 2006
Ah, so this is for a personal certificate, for email? If that's the case why not go the GPG/PGP route?
posted by togdon at 10:36 AM on January 3, 2006
Response by poster: I set up a Thawte free cert a while back using this nicely-written walkthrough I found, and I thought it'd be easier to extend the cert I already had.
Mac OS X Mail (since Panther) has had support for S/MIME and has a really elegant way to verify (and optionally encrypt) messages.
I'll see if the GPG/PGP route has a similar walkthrough.
posted by Wild_Eep at 10:56 AM on January 3, 2006
Mac OS X Mail (since Panther) has had support for S/MIME and has a really elegant way to verify (and optionally encrypt) messages.
I'll see if the GPG/PGP route has a similar walkthrough.
posted by Wild_Eep at 10:56 AM on January 3, 2006
Response by poster: From what I read, using GPGMail will change the widgets that I use to attach my public key.
I just tried to follow the URL for the proceedure, thinking that I'd just verify the '5 year' thing, but the URL is dead. (He sent the email last July, I'm just now getting around to dealing with this.)
posted by Wild_Eep at 11:16 AM on January 3, 2006
I just tried to follow the URL for the proceedure, thinking that I'd just verify the '5 year' thing, but the URL is dead. (He sent the email last July, I'm just now getting around to dealing with this.)
posted by Wild_Eep at 11:16 AM on January 3, 2006
Here is the current version of the web link he sent you. It mentions the 5 years in the second to last bullet point.
posted by smackfu at 1:34 PM on January 3, 2006
posted by smackfu at 1:34 PM on January 3, 2006
I am a Thawte notary (though I haven't notarized anyone in years, I was one of the originals and could assign up to 35 points). The way it works is this: you have to meet face to face and provide sufficient ID. Most notaries require two forms, with one having a picture. I also required signed photocopies.
I NEVER accepted SocSec cards unless the person also signed a waiver releasing me from liability. After a quick online notarization process, during which I assigned points, I was required to keep the docs for 5 years. I got rid of my last set last year.
Hope that helps. FWIW, I never heard about any possible ID theft cases when I was active, but times have changed.
posted by aberrant at 5:35 PM on January 3, 2006
I NEVER accepted SocSec cards unless the person also signed a waiver releasing me from liability. After a quick online notarization process, during which I assigned points, I was required to keep the docs for 5 years. I got rid of my last set last year.
Hope that helps. FWIW, I never heard about any possible ID theft cases when I was active, but times have changed.
posted by aberrant at 5:35 PM on January 3, 2006
Instead of pushing GPG, how about actually answering the question?
There are many valid reasons for preferring S/MIME over OpenPGP. One of which is the godawful fugly "plaintext armored" signing that GPG does that makes every signed message look like shit. Or the fact that if you instead opt for a detached signature you get to hear all the whines from MS Lookout / Lookout Express users since MS still doesn't support that 7 year old RFC. Or the fact that almost nobody has a valid web of trust without significant legwork - how many keysigning parties have you been to?
Yet S/MIME is nearly seamless and works flawlessly in every client.
posted by Rhomboid at 9:23 PM on January 3, 2006
There are many valid reasons for preferring S/MIME over OpenPGP. One of which is the godawful fugly "plaintext armored" signing that GPG does that makes every signed message look like shit. Or the fact that if you instead opt for a detached signature you get to hear all the whines from MS Lookout / Lookout Express users since MS still doesn't support that 7 year old RFC. Or the fact that almost nobody has a valid web of trust without significant legwork - how many keysigning parties have you been to?
Yet S/MIME is nearly seamless and works flawlessly in every client.
posted by Rhomboid at 9:23 PM on January 3, 2006
This thread is closed to new comments.
I'm still very, very, confused by people who continue to pay Verisign and Thawte (who are now a subsidiary) for more expensive certificates at much more hassle.
posted by togdon at 10:26 AM on January 3, 2006