The Multiple Assurer Model of CAcert and Thawte
Identity assurance systems are surprisingly interesting. Two, which work in basically the same way, are CAcert and the Thawte Web of Trust. In each system, a person can register for a free account through the web and is then required to obtain points from assurers. Assurers work as volunteers, though some may charge small fees for their work. Many assurers are certified to grant points within both systems.
Assurers will meet with a person, and request to see photographic identification, such as a passport, and is required to document what type of identification is presented. The assurer may assign up to 35 points to the person met based on their own seniority in the system and satisfaction with proof of identity.
Once a person has collected at least 50 points, either system will issue them a signed X.509 certificate the person can use for S/MIME email or certificate-based logins, that includes their name and email address. If a person can collect 100 points, they may themselves become an assurer within the system The requirements for multiple assurers’ certification prevents a single rogue assurer from poisoning the well of certificates issued by the system. At least two assurers are necessary. In these respects, both CAcert’s and Thawte’s systems are identical.
There are several differences worth noting. First, Thawte certificates are widely accepted by the default configuration on desktop PCs. However, CAcert certificates are not widely accepted and will only be accepted if the user has installed CAcert’s root certificates. CAcert is aware of this and pushing for inclusion in more software. CAcert also issues website SSL certificates for servers, and code signing certificates for applications developers.
Additionally, CAcert offers PGP key signatures for verified email addresses from the CAcert PGP key. CAcert’s PGP certifications are available to users with at least 50 assurance points.
Last month, Thawte announced the termination of their service and offered users a free one year certificate through Verisign. The service no longer accepts new enrollments.
The above was written primarily before Thawte’s announcement.
