Bruno Kerouanton

I received a sad information tonight in my mailbox : The Thawte Personal E-Mail Certificates and Web of Trust services will be discontinued on November 16, 2009 and will no longer be available after this date.

According to Thawte, the reason for this relates to the constantly evolving security compliance requirements that are becoming more and more restrictive ; the Web of Trust service was no longer compliant to those requisites. Web of Trust was a great concept of having local notaries, ie. certified people that were able to physically meet individuals, check their identities, and act as a witness to certify that the SSL or X-509 certificates they require match their identity, thus offering a real warranty of their identities. Having such a certificate for emails means that you can sign them so that the recipient will have a 100% level of confidence that you’re the right sender. That is the basics of electronic signature, by the way.

I have been a Web of Trust Notary since 1999, and since then a long time has elapsed, with the 11/7 events and all the security reinforcement worldwide that occured. I fully understand that the Web of Trust small circle of Notaries could have been corrupted by unlawful individuals, thus motivating Thawte to discontinue this service, but that is sad, however. Now, people will have other ways to certify their email integrity and confidentiality :

• Buying an email certificate from one of the few companies that provide this service. But there will somehow no longer be free offerings.
• Set their own PKI infrastructure and service, meaning there won’t be any trust relationship with others
• Using PGP/ GnuPG, and signing the keys during meetings, which are called Key Signing Parties.
• Let their emails unencrypted anr/or unsigned…

I guess that the PGP/GnuPG option is the best one, but it requires PGP/GnuPG to be installed on all recipient email software, and require some knowledge to operate and manage the keys. I personally use GnuPG to sign and/or encrypt my emails, but it may not be as simple as that for most people, and also the fact that GnuPG Keys are organized in a « mesh » way and not in a « tree » organization prevents emails I send to be recognized as legitimate for other people that the ones I exchanged and signed keys with… That’s a lot different and raises some other issues.