The Multiple Assurer Model of CAcert and Thawte
Identity assurance systems are surprisingly interesting. Two, which work in basically the same way, are CAcert and the Thawte Web of Trust. In each system, a person can register for a free account through the web and is then required to obtain points from assurers. Assurers work as volunteers, though some may charge small fees for their work. Many assurers are certified to grant points within both systems.
Assurers will meet with a person, and request to see photographic identification, such as a passport, and is required to document what type of identification is presented. The assurer may assign up to 35 points to the person met based on their own seniority in the system and satisfaction with proof of identity.
Once a person has collected at least 50 points, either system will issue them a signed X.509 certificate the person can use for S/MIME email or certificate-based logins, that includes their name and email address. If a person can collect 100 points, they may themselves become an assurer within the system The requirements for multiple assurers’ certification prevents a single rogue assurer from poisoning the well of certificates issued by the system. At least two assurers are necessary. In these respects, both CAcert’s and Thawte’s systems are identical.
There are several differences worth noting. First, Thawte certificates are widely accepted by the default configuration on desktop PCs. However, CAcert certificates are not widely accepted and will only be accepted if the user has installed CAcert’s root certificates. CAcert is aware of this and pushing for inclusion in more software. CAcert also issues website SSL certificates for servers, and code signing certificates for applications developers.
Additionally, CAcert offers PGP key signatures for verified email addresses from the CAcert PGP key. CAcert’s PGP certifications are available to users with at least 50 assurance points.
Last month, Thawte announced the termination of their service and offered users a free one year certificate through Verisign. The service no longer accepts new enrollments.
The above was written primarily before Thawte’s announcement.
An Inaugural Post
This is a new blog dedicated to OpenPGP and related topics. OpenPGP, itself, is a standard for encrypting and signing digital data. Some of the related issues might include identity management, X.509, and even social media.
I started this because so much of the material surrounding OpenPGP is so poorly documented. While several books exist, they do not provide much insight into the nuances of signing data and none provide a lot of resources for those interested in more than encrypting a few emails.
This blog will cover a lot of topics from key generation and types to certificate authorities and probably some other interesting things coming over the horizon. Posts will probably run about once a week, usually on Tuesdays.
