GSWoT’s Single Assurance Model
In contrast to the multiple assurer model, there is a single assurance model. The most interesting of the single assurer models is the Gossamer Spider Web of Trust, or GSWoT, which calls its assurers introducers. Like CAcert and Thawte, GSWoT introducers are volunteers who perform assurances as a part of other activities. GSWoT introducers, however, do not earn points and are drawn from the ranks of CAcert and Thawte assurers. This process enables GSWoT to recruit those already well-versed in identity management best practices.
GSWoT only works within the PGP web of trust by relying on the OpenPGP’s specification for depth of trust. GSWoT users can download the GSWoT keyring, which includes introducers, and a metakey for the entire GSWoT network. The user should issue a trusted signature to the GSWoT metakey with a trust depth of 2. The GSWoT metakey signs an introducer’s keys with a trust level of 1. From then on, the user who downloaded the GSWoT keyring will find valid keys for anyone signed by any GSWoT introducer. GSWoT introducers are expected to hold high standards when issuing signatures to ensure the Gossamer Spider Web of Trust does not become polluted. Additionally, GSWoT introducers cross sign each other’s keys to tighten the web of trust knot surrounding its volunteers.
There is significant overlap with both the CAcert and Thawte web of trust networks among GSWoT introducers. But unlike CAcert and Thawte, there is no single organization that continues to monitor and issue signatures representing the web of trust. Provided a copy of the GSWoT keyring, anyone can verify the validity of a signature indefinetly. For PGP users, the GSWoT keyring and the CAcert PGP key (which should be trust-signed with a trust depth of 1), provide a web of trust that is remarkably fault tolerant, massively distributed worldwide, and freely accessible by any Internet user.
The Multiple Assurer Model of CAcert and Thawte
Identity assurance systems are surprisingly interesting. Two, which work in basically the same way, are CAcert and the Thawte Web of Trust. In each system, a person can register for a free account through the web and is then required to obtain points from assurers. Assurers work as volunteers, though some may charge small fees for their work. Many assurers are certified to grant points within both systems.
Assurers will meet with a person, and request to see photographic identification, such as a passport, and is required to document what type of identification is presented. The assurer may assign up to 35 points to the person met based on their own seniority in the system and satisfaction with proof of identity.
Once a person has collected at least 50 points, either system will issue them a signed X.509 certificate the person can use for S/MIME email or certificate-based logins, that includes their name and email address. If a person can collect 100 points, they may themselves become an assurer within the system The requirements for multiple assurers’ certification prevents a single rogue assurer from poisoning the well of certificates issued by the system. At least two assurers are necessary. In these respects, both CAcert’s and Thawte’s systems are identical.
There are several differences worth noting. First, Thawte certificates are widely accepted by the default configuration on desktop PCs. However, CAcert certificates are not widely accepted and will only be accepted if the user has installed CAcert’s root certificates. CAcert is aware of this and pushing for inclusion in more software. CAcert also issues website SSL certificates for servers, and code signing certificates for applications developers.
Additionally, CAcert offers PGP key signatures for verified email addresses from the CAcert PGP key. CAcert’s PGP certifications are available to users with at least 50 assurance points.
Last month, Thawte announced the termination of their service and offered users a free one year certificate through Verisign. The service no longer accepts new enrollments.
The above was written primarily before Thawte’s announcement.
