October 6th, 2009


Web Unravels

According to Slashdot, the Thawte Web of Trust (of which I, tobyawand qidaneare notaries) is ending in less than 2 weeks' time – or November 16th, depending on which you believe. Maybe someone didn’t notice this was October.

The original article is Slashdotted, so I haven’t been able to read it, but if it is true it’ll be a little bit sad and quite a lot unsurprising.

E-mail certificates are one of those things that are good in theory, but difficult to convince people they’re worthwhile. Their main purpose is to show that e-mail hasn’t been tampered with since it was sent, and that it was sent from a particular person’s account; not problems that many people worry about, even with spam spoofing e-mail addresses to appear to come from people you know.

Perhaps a little more practically, if more widely taken up certificates might help to restrict spam a bit by requiring people to prove their identity to someone – but they’ve never had that take-up, and if they did then spammers would of course find ways to acquire certificates unrelated to their real identities. Faking identity would not, in the end, prove much of a hurdle.

There are other drawbacks too. Some e-mail systems (particularly web-based ones) don’t know what to do with certificates, so they make recipients more suspicious of the e-mail with the odd attachment, rather than less. And for the average user, the process of signing up for a certificate is scary and arcane. Although you can mostly click Next – Next – Next, there’s a lot of forbidding technical terminology floating about.

Finally there’s the biggest reason why I’m not surprised if Thawte have canned their free certificates program, and also why I’ve not been over-enthusiastic to recommend them for the last couple of years; they’ve never updated the sign-up process to work with Windows Vista’s higher level of security, and their instructions for working around the issue start “Turn off the Windows Firewall”…

E-mail certificates are still a mildly good idea, but Thawte’s free offering hasn’t been too attractive for some time – and unfortunately the alternatives cost.