Oct 142009

Thawte has announced it will discontinue its “Web of Trust” peer to peer identity assertion program later this year.

Web Of Trust enables individuals to obtain personal digital certificates without having to go through costly corporate or government paperwork. The idea is that if several trusted WoT members (notaries) assert that they have met the person and verified their government issued identity documents (passport, drivers license) match their WoT identity claims, then the person is probably legitimate and can be issued a trusted WoT digital certificate containing their actual name and email address.  The main purpose of WoT is to enable people to create trustworthy online identities by eliminating fake accounts (“sock puppets”) and impersonators.

WoT personal digital certificates can be used to to cryptographically sign or encrypt email text using S/MIME standards. Encrypted emails cannot be read except by the person the message is addressed to. Cryptographically signed emails are sent as clear text, but the recipients can verify that the message was sent by you and has not been modified in transit.

I joined WebOfTrust at its inception in the summer of 1999.  My WoT identity was essentially signed by ‘root’ – I met with a vice president of Thawte in San Francisco to verify my documents and chat briefly about the program. Thawte is based in South Africa (acquired by Verisign in 2000) and sent a small team on a coast to coast tour of the US to seed the WoT trust system with notaries. As I recall, San Francisco was also the first city in that tour.  WoT notaries make identity assertions to help others achieve trusted status with very little involvement (or expense) to Thawte.  You need trust assertions from at least 3 WoT notaries to achieve trusted status.

As a WoT notary, I’ve made quite a few identity assertions for folks in the Santa Cruz area over the years.  Nothing particularly interesting to report there.  What is interesting is the number of folks who would contact me to request a WoT identity assertion, but then vaporize as soon as they found out that they had to present photo id and meet me in person.

I guess I’m just continually amazed at how many people have enough interest and motivation to request that their identity be validated, but then back out because a) they don’t want to use their real name or b) they don’t have government issued photo ID documentation for the identity they’re trying to create.

It’s a shame to see WoT go.  I started using WoT certificates to sign all my personal and business mail after learning folks were receiving email with my return address that I didn’t write. Signed mail was a nice techorati touch, even if most of the folks I corresponded with didn’t know what that S/MIME attachment was for.  It was also a bit viral – folks would ask me about the attachment, I’d explain digital signatures, and they’d get interested enough to get their own certs and join the fray.  Once someone had sent you a signed email, you could store their public key and use it to send them encrypted email.  I’ve never sent anything through email that required encryption, but it’s fun to encrypt a few now and then just for fun.  Stick it to the man, so to speak.

My use of signed email came to an abrupt end when I found GMail.  I loved the gmail feature set, “net nomad” availability, and spam abatement, but gmail did not (and still does not) support cryptographically signing outgoing emails with digital certificates.  To a degree, I understand why this has never been a priority for gmail – in order for gmail, running on the web server, to sign your outgoing mail, the private key of your digital certificate would need to be stored on the web server.  That’s a security risk – or at least, more opportunity for risk than storing the cert on a local hard disk.  But I also feel that excuse is a cop-out.  It can be dealt with, but GMail never tried.

Personal digital certificates are handy in another way:  If you’re working on code to handle X509 certificate chains (as I have been lately – more on that eventually), it’s always nice to have a few valid X509 certificates to test with.  Sure, you can create fake self-signed certs with makecert, but fake certs don’t exercise all the code paths and don’t work on other machines.  WoT personal digital certificates are a quick and easy way to get an X509 certificate that is signed by a real root CA that is recognized by every modern Windows system.  As an extra bonus for code testing, WoT certificate chains have a depth of three:  leaf, intermediate CA, and root CA.

Alas, WoT is no more.  So long Web Of Trust.  It’s been a great run.