Comments on: Thawte trust points for your name in your cert?

Question: Thawte trust points for your name in your cert?

Wild_Eep — Tue, 03 Jan 2006 10:10:50 -0800

Is providing 'identifying documentation' to someone to earn Thawte 'Trust Points' asking for identity theft, or am I just paranoid?

I found a local representative for Thawte's 'Web of Trust' who says he will take two 'different, nationally recognized forms of photo identification' (passport and drivers license), 'verify' them, and login to thawte.com to assign me 'trust points'. Notaries (Thawte's term) can assign between 10 and 35 points depending upon their previous experience.

Part of his email back to me:

"The procedure is described at https://www.thawte.com/wot/procedures.html. Basically, it involves setting up an appointment for us to meet and for me to verify your identifying documentation. This has to be a face-to-face meeting and you should come with both the original documents and a copy that you leave with me, which I have to keep for 5 years. Once I've verified your documentation, I notify Thawte and you'll be awarded 35 Trust Points towards your required total."

This guy has an email address at a local company, and his phone number passes the reverse-lookup test.

Am I being paranoid about providing this information? I mean, I know they have to verify against /something/ that I provide, but the whole 'keep it for 5 years' thing feels a little creepy.

By: togdon

togdon — Tue, 03 Jan 2006 10:26:22 -0800

Why not just use one of the much cheaper and totally hassle free vendors such as Rapid SSL?

I'm still very, very, confused by people who continue to pay Verisign and Thawte (who are now a subsidiary) for more expensive certificates at much more hassle.

By: odinsdream

odinsdream — Tue, 03 Jan 2006 10:26:49 -0800

I don't remember anything about the "keep for 5 years" part when I was reading up on how to get more trust points myself - that's the part that concerns me.

Why not simply stop by a Thawte-certified bank? That's what I was planning to do - since I trust the bank not to steal my identity.

By: odinsdream

odinsdream — Tue, 03 Jan 2006 10:27:20 -0800

Note, togdon, that this is a free service that Thawte provides.

By: grouse

grouse — Tue, 03 Jan 2006 10:30:33 -0800

earn Thawte 'Trust Points'

Why bother?

By: togdon

togdon — Tue, 03 Jan 2006 10:36:37 -0800

Note, togdon, that this is a free service that Thawte provides.

Ah, so this is for a personal certificate, for email? If that's the case why not go the GPG/PGP route?

By: odinsdream

odinsdream — Tue, 03 Jan 2006 10:50:28 -0800

Because SMIME is more widely implemented by default in most mail clients, and most mail clients also trust Thawte certificates without scary messages. I set up a personal certificate through Thawte and use is in Mail.app without any additional software - and as long as your mail client supports SMIME, you can receive and verify mail from me without extra software.

I also use GPG/PGP, but only one person in my address book even knows what the hell that means, and they haven't even bothered to set it up yet.

By: Wild_Eep

Wild_Eep — Tue, 03 Jan 2006 10:56:36 -0800

I set up a Thawte free cert a while back using this nicely-written walkthrough I found, and I thought it'd be easier to extend the cert I already had.

Mac OS X Mail (since Panther) has had support for S/MIME and has a really elegant way to verify (and optionally encrypt) messages.

I'll see if the GPG/PGP route has a similar walkthrough.

By: odinsdream

odinsdream — Tue, 03 Jan 2006 11:04:35 -0800

Wild_Eep, the way I went about it was to download MacGPG (note that the page is a little cryptic - you should download GNU Privacy Guard and GPG Keychain Access) and GPGMail. After you set up a key, you'll have new options right near where your current certificate signatures show up allowing you to sign and optionally encrypt with GPG.

By: Wild_Eep

Wild_Eep — Tue, 03 Jan 2006 11:16:29 -0800

From what I read, using GPGMail will change the widgets that I use to attach my public key.

I just tried to follow the URL for the proceedure, thinking that I'd just verify the '5 year' thing, but the URL is dead. (He sent the email last July, I'm just now getting around to dealing with this.)

By: odinsdream

odinsdream — Tue, 03 Jan 2006 11:24:22 -0800

I'm not sure what you mean by your widgets comment. You don't manually attach your public key to the message. The behaviour is almost identical to what you already do with the Thawte certificate - there are two boxes to check, "sign" and "sign & encrypt," with an added drop-down menu to choose whose public key you'll use to encrypt the message.

By: odinsdream

odinsdream — Tue, 03 Jan 2006 11:25:02 -0800

Note that these GPG options are in addition to the Thawte options - nothing is replaced or overridden. I'll be glad to post a screenshot if you like.

By: smackfu

smackfu — Tue, 03 Jan 2006 13:34:43 -0800

Here is the current version of the web link he sent you. It mentions the 5 years in the second to last bullet point.

By: aberrant

aberrant — Tue, 03 Jan 2006 17:35:17 -0800

I am a Thawte notary (though I haven't notarized anyone in years, I was one of the originals and could assign up to 35 points). The way it works is this: you have to meet face to face and provide sufficient ID. Most notaries require two forms, with one having a picture. I also required signed photocopies.

I NEVER accepted SocSec cards unless the person also signed a waiver releasing me from liability. After a quick online notarization process, during which I assigned points, I was required to keep the docs for 5 years. I got rid of my last set last year.

Hope that helps. FWIW, I never heard about any possible ID theft cases when I was active, but times have changed.

By: Rhomboid

Rhomboid — Tue, 03 Jan 2006 21:23:34 -0800

Instead of pushing GPG, how about actually answering the question?

There are many valid reasons for preferring S/MIME over OpenPGP. One of which is the godawful fugly "plaintext armored" signing that GPG does that makes every signed message look like shit. Or the fact that if you instead opt for a detached signature you get to hear all the whines from MS Lookout / Lookout Express users since MS still doesn't support that 7 year old RFC. Or the fact that almost nobody has a valid web of trust without significant legwork - how many keysigning parties have you been to?

Yet S/MIME is nearly seamless and works flawlessly in every client.