[OT] CAs: A Story

L. Sassaman rabbi@quickie.net
Tue, 25 Jan 2000 16:56:32 -0500 (EST)

Hash: SHA1

No, Thawte doesn't sign the real user id. It seems for some reason that
they haven't figured out that that is the simplest and best way of doing

<shameless plug>
FreeCert will sign PGPs correctly. For more info, go to www.freecert.org.
</shameless plug>

And if the user wants to use that ID, he needs to self-sign it. First he
needs to import it to his keyring, by turning on the option


And then editing the key and signing it.

Don't ask me why Thawte does it this way. I think they are confused.

I also asked a while back about the possibility of having two different
signing keys, one for the regular Freemail members (for whom there is no
real authentication done) and a separate one for the people who have
obtained 50 or more points in the Thawte WOT (who are very likely who they
say they are.)

I can not trust Thawte as an introducer for the mere freemail members, but
I would for the people who have had their IDs assertained in the WOT. But
until they use separate keys, Thawte's sigs are pointless.

I am quite willing to talk to the programmers at Thawte if they would like
to discuss the security concerns about using multiple keys, and signing
the user's real user-id. I give kudos to Thawte for supporting PGP, but it
seems they need to understand a little bit more about the signing process.

- --Len.

On Sun, 23 Jan 2000, Werner Koch wrote:

> On Sun, 23 Jan 2000, J Horacio MG wrote:
> > " The "Thawte Freemail Member" identity does not alter or change your key
> > " in any way. It is just another identity certificate associated with the
> > " key. People who do not trust Thawte will not see that as a valid
> > " identity.
> GnuPG simply does not except this new user ID because it is not signed
> by the primary key and simply kicks it out due to a missing
> self-signature. It doesn't matter that Thawte signs this user ID
> because it is not considered a valid signature.
> IMHO Verisign (Thawte) simply does this as an advertisment; as long as
> they do sign the realy user ID too there should be no problem. But I
> do not think that this is serious way to operate a CA.
> > key through "signing and sending back to Thawte a small hexadecimal
> > string generated during the certification process".
> No, his secret key has not been compromised.
> --
> Werner Koch at guug.de www.gnupg.org keyid 621CC013
> Boycott Amazon! - http://www.gnu.org/philosophy/amazon.html
__ L. Sassaman System Administrator | "I've done my sentence Technology Consultant | But committed no crime..." icq.. 10735603 | pgp.. finger://ns.quickie.net/rabbi | --Freddie Mercury, Queen -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: OpenPGP Encrypted Email Preferred. iD8DBQE4jhwWPYrxsgmsCmoRApmgAJ9c6gr9ITMg/MMzR02pi2bDUvfpHgCfdFWP cBQVnJ8DvcDgXmFymumCtME= =1V1y -----END PGP SIGNATURE-----