Wednesday, October 14, 2009


I Thawte I saw a CAcert

Around three and a half years ago, I posted an item in these pages about public key infrastructure.[1] In it, I mentioned two certificate authorities from which one could get free certificates for personal use: Thawte and CAcert. (You can also get free certificates from Comodo, ipsCA, and StartCom.) For somewhat arbitrary reasons — mostly because Thawte seemed better situated, and its root certificate was already set up in Windows as a trusted signer (CAcert is not) — I settled on that one, and have been using a Thawte certificate.

Unfortunately, it seems that Thawte is getting out of the “business” of issuing personal certificates. I got this email yesterday:

Important Thawte® Personal E-mail Certificate Holder Notice

Thawte Personal E-mail Certificates and Web of Trust are being discontinued

Dear Barry Leiba,

Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

Deciding to conclude these services was a difficult decision for us to bear, specifically because of the community that has been built around these products over the years.

To express our gratitude and sincere appreciation for being a part of our Thawte community, we would like to offer you up to $100.00 off the purchase price of our SSL and/or code signing certificates.

If you would like to take advantage of our offer, please forward this email to our sales department. Their contact details are listed at the foot of this message. Please note that this offer expires on November 16, 2009.

We have also made a special arrangement with VeriSign regarding replacing your personal email certificate. VeriSign’s exclusive offer to you is for a FREE 1-year replacement personal email certificate - a $19.95 value. This offer will be open for 2 months after the service is discontinued and will no longer be available after January 16, 2010. Simply follow appropriate link below to request your certificate.

Interestingly, their web page for requesting new certificates hasn’t been updated yet. And you can still request one for another month, though I’m not sure why you’d want to: according to their FAQ page on the matter, all outstanding certificates will be revoked on that date, so any certificate you get now will only be valid for another month (or less) anyway. It’s not like you can grab one at the last minute and be OK for another year.

I think I shan’t take them up on their VeriSign offer. I’ve already revoked my Thawte certificate and have gotten one from CAcert instead (and that’s the one you’ll see on my business-related web page now, in its right sidebar).

Of course, I say that I’ve been “using” a certificate only in the loosest sense of “use”. I rarely have any need to digitally sign email, and no one ever has cause to send me encrypted mail. At least, that’s the case with the way we do email today. I’d still like to see this technology used more, but it remains a curiosity.

Why it’s no more than a curiosity is mostly covered in the PKI entry. The short answer: it’s too cumbersome and confusing to get certificates, to give them to people who need them, to manage them (they expire annually, and need to be replaced with new ones), and to deal with the error conditions when something doesn’t work right.

I know what I’m doing, and the process for replacing my Thawte certificate with the CAcert one was not trivial for me, and didn’t work right away. I had to “install” the new certificate into multiple programs, as well as into the MacOS “keychain” (theoretically, they should all get it through the keychain, but...). After installing it, I had to tell some of the programs to use the new certificate instead of the old one. One program didn’t allow me to choose, and insisted on using the Thawte certificate, so I actually had to delete it from that program’s certificate list (that was before I did the revocation, so maybe it would work correctly now, when it saw that the certificate it wanted to use was revoked). Deleting the old certificate is a bad idea, if you might have encrypted mail or files that need it. And then I had to remove the public version of the old certificate from my web site and put the new one there.

But another reason that all this is just a curiosity is that there’s no compelling reason to use this stuff anyway. That is to say, there are plenty of good reasons that we should be using it, but we lack the critical mass to make any of that matter. If no one expects my email to be digitally signed, nor cares whether it is or isn’t, then it doesn’t matter that I can do it. If no one wants to send me encrypted mail, it doesn’t matter that they can.

My bank should be sending my online bank statements to me, encrypted and signed. Instead, I get plain-text mail that tells me my statement is ready, and I go log into their web site to get it. I should be sending instructions to my financial advisor, encrypted and signed. Instead, we use the phone, or I go to the company’s web site and log in.

And the web sites don’t even use my certificate to identify me, though they could, and it would be better than the username/password system. But it’s still too hard, three and a half years after I last ranted about it, to make digital certificates work for general users. We haven’t gotten anywhere.

[1] While you’re reviewing that, go back and (re-)read my series on digital signatures. Hm. I wonder how old these pages have to get before it’s worth re-posting selected old items.


SSL UK said...

The only use of digitally signed emails that I really make use of is when purchasing certain domains from Nominet in the UK. I understand where you are coming from in terms of the need for it - I suppose trust is the main thing and you can get round things in other ways.

Jim Fenton said...

I have long been uncomfortable with these types of certificates. Or to put it another way, I have been happy to see these certificates as they point out a shortcoming with X.509 certificate issuance procedures.

Generally, these low assurance certificates are issued upon a demonstration by the requester that they can receive email at the address shown in the certificate. This is done by the issuer sending a confirmation email to that address and the requester clicking on a unique link in that email. Without even considering the dependence of that transaction on insecure email infrastructure, the requester now has a certificate that is good for (typically) a year. The domain to which that certificate is attributed doesn't have any say in (or even awareness of) the transaction, so it isn't possible for the domain to request revocation of the certificate if the requester leaves.

Suppose that the Example Organization, whose president is identified by the role email address, just had an election and is to be replaced by a rival. The president could request a certificate for, and then when the new president takes office, has the better part of a year to send signed email claiming to still be the president. What can the Example Organization do? Nothing I can think of, short of get a restraining order.

Sure, these certificates have caveats. But does anyone read certificate attributes? Do many people even know how to read the certificate attributes? No.

On a separate note, it would be interesting to see how Thawte plans to revoke all those certificates...that would be quite a Certificate Revocation List (although not rivaling that of the US Government, from what I understand).

Barry Leiba said...

Jim, I completely agree. The only reason I'm happy to use these free certificates is that, as I said, it doesn't matter much.

In addition to the situation you describe, there's also the fact that if someone can compromise your email account briefly, or otherwise intercept email to you — the part you say "without considering" — they can get a certificate that lets them pretend to be you for a year.

Unfortunately, this problem isn't limited to these sorts of certificates, since many CAs are not as rigorous as we'd like in how they confirm identities and issue certs. Also also, just as ICANN and the domain registries will happily let you register a name like, the CAs will happily issue certs to you once you do that.

There's some attempt to fix this with the new-ish "extended validation certificates", but I don't believe that's really secure either, nor that any added security it provides will last long.

On your separate note: Thawte does, indeed, use a CRL, and they are putting the revoked certs into it. Realistically, I don't think they'll be queried very much. How much mail is really out there that's signed with Thawthe certs, and how often will someone try to send encrypted mail using one?