Thawte Web of Trust (WoT) – An easy way to secure email !

Since 2004, I’m a member of the Thawte Web of Trust. I’ve always been quite a security enthusiast, my first experiences were under DOS using the pgp executable to try and cypher some text that I would put on a diskette and have a friend read the next day…

Those days are long gone but, even though the advent of the Internet and modern cryptography, the principles still remain! In the beginning there are only two things, a Public and a Private cryptographic key. The public key is used for cyphering content and verifying signatures, the private key is used to sign and decipher content.

So if you want to send a message to a friend of yours, you have various options:

  • Sign it, don’t encrypt : Your friend needs your public key to verify your signature
  • Encrypt it, don’t sign it: You need your friends’ public key
  • Encrypt it, sign it: You need your friends’ public key and he needs yours to verify the signature

That’s a lot of key exchanges that could potentially lead to several attacks such as Eve trying to convince you that he’s got your friends’ public key when what he has is a fake. Eve, if she somehow catches the message you sent your friend will be able to decipher it.

Now, this is where certificates come into action, Trent which is trusted by both of you will “grosso modo” digitally sign your (name, email address and public key) tuple so it can not be tampered with. Of course, Trent needs to assert your identity before he signs your certificate, otherwise it makes no sense.

Thawte is just an instance of Trent, also known as a Certification Authority which delivers free personal certificates for email based on the concept of a Web of Trust (WoT)!

The Web of Trust is a network of people who have physically met each other and verified each other’s identity. The system is based on the concept of Trust Points, the mode trust points you have, the more you’ve met people who Thawte trusted and who verified your identity, thus, the more Thawte trusts you’re really who you say you are.

You begin with 0 trust points, a minimum of 50 points are required in order for Thawte to issue you a certificate with your name on it. If you’re lucky, you might get the 50 points by just meeting 2 persons who will give you 35 each. There is an online database which will show you all the Thawte Notaries in your region! It works worldwide and these guys are generally quite nice! It’ll take a 100 points in order to become a notary yourself, you’ll be able to give only 10 points at the beginning but this changes as you get more experienced.

Once you’ve requested your certificate from Thawte, you can use it in various e-mail applications such as Thunderbird as explained here

Enjoy ;)

Leave a Reply