Thawte's Public Certification

[AlexR]

Hi,

I'm thinking of setting myself up with a Thawte's personal email certificate - a digital signature if I have understood correctly. This may help avoid some of the problems with virii spoofing my mail address.

Before I sign up, I thought I would post here and see if anyone else does this, and what they think. I have not heard of Thawte, some I am a little reluctant to go giving them the amount of personal info which is required for the sign-up - which is free, by the way.

If you would like to know more about this service go here:
Thawte

Let me know what you think and if this type of service will work with FM.

Thanks,

AlexR

broken link - did you mean to link here?

[AlexR]

Fixed the link - must've hit return.

Thanks Daniel - and yes I did mean where you aimed your link.

A

[akorvemaker]

I've heard of them. I think they're well respected.

It will not work with FM's web interface. You would need to use an email client that supports this type of certificates, but I think most major clients do (such as Outlook Express, Mozilla, etc).

[AlexR]

Thanks akorvemaker - that's interesting - but I'd like to hear from one or two more people and hopefully someone who uses one of these certificates. - before I go and sign up....free is a good price - but your don't often get much for nothing (unless it is open source software that is - one major exception to the rule )

A

[savirr]

Quote:

Originally posted by AlexR
Thanks akorvemaker - that's interesting - but I'd like to hear from one or two more people and hopefully someone who uses one of these certificates. - before I go and sign up....free is a good price - but your don't often get much for nothing (unless it is open source software that is - one major exception to the rule )
A

I use one of these certificates occasionally. They aren't really that useful for proving your identity in themselves - the name in the certificate is "Thawte Freemail Member" or something like that. I guess you could get a certificate for an arbitrary email address.

I think it would only become of value if you used their "notary" system (basically volunteers in various places throughout the world). You go to see a couple of notaries, they take a copy of personal documentation (e.g. passport or something) and give you points. When you have enough points Thawte puts your name in your certificate.

Thawte issues Fastmail's https certificate.

Simon

[cailloux]

Quote:

Before I sign up, I thought I would post here and see if anyone else does this, and what they think. I have not heard of Thawte, some I am a little reluctant to go giving them the amount of personal info which is required for the sign-up - which is free, by the way.

Thawte is one of the big certificate issuers (the other that comes to mind is Verisign); getting the certificate (X.509) is not a big deal, but you do have to verify your e-mail address.

The nice thing about the certificate is that it is authenticated against your e-mail address -- i.e. it is tied to your unique ID.

The strength of these certificates over GPG/PGP is that I can create a RSA key pair for anyone I want. However, Diffie-Hellman key exchange fixes up this problem because you can obtain my public key from a key server, even if someone else registers my unique ID (e-mail address) on the server. Even if you have and use my spoofed public key, the message will still be secure because the person who spoofed the key doesn't have a copy of the message.

The combination of an X.509 certificate (verifies you are who you say you are) and public key encryption (ties a unique identifier to a particular encryption key-pair) makes you reasonably assured that you are talking (securly) to someone.

So, is it useful? I know fewer people (1) that have certificates than have GPG/PGP keys (5 in my keyring right now that I use for e-mail with any frequency).

If you do this, though, check our Thunderbird. It's got (with GPG) decent support for encrypting and decrypting messages and key management. It's free (whereas the PGP solution costs ~$50).

With the certificate, for it to be really useful, you should sign every outgoing e-mail with it. This precludes, though, the use of the web interface. But it is useful for signing and verifying authenticity, just like SSL certificates are useful for verifying the site you are doing business with is the site that you're securly communicating to.

tim

[PenPen]

I've been using Thawte free cert w/ Outlook and Outlook Express for two years (for encryption purposes only). No problem so far.
As for personal info, I think I was able to go with a minimum amount.

[mcowger]

I also use Thawte certificates for my email...they are very well known and well respected.

[XB77]

Freeware versions of PGP are available. Yes, the latest full-on bells and whistles version for XP or OS X costs $50, but I have been using the freeware ver. 7.0.3 for Me for years and if you go to this site, you can find other (more up to date?) versions for other OSs for free:
http://www.pgpi.org/products/pgp/versions/freeware/

[DrStrabismus]

The key question is: will anyone treat your email in any significantly different way? For example, does your bank accept instuctions via signed email? Does your employer require you to sign or encrypt email?

If the answer to this question is no, then don't waste your time and money.