Educause Security Discussion mailing list archives

Re: Discontinuance of Thawte personal email certificates and Web of Trust

From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Wed, 30 Sep 2009 14:28:21 -0400

I was never a big fan of the Thawte email certs for a couple of reasons, the main one
being that the WOT model wasn't applicable to a managed deployment to staff - if that was
ever chosen to be done here which it hasn't. I went with the commercial offerings:
delegated enrolment/renewal and automated smartcard install for under $10/cert (eg.
Comodo, not including smartcard). In thinking about the WOT model, I think a central
organizational provisioning system with good policy/procedure is easier to set up and
maybe more secure than an internal WOT.

IMO, a functional and secure deployment of user certificates is best done using an
accredited, reputable, commercial CA with provisioning delegated to a central,
institutional group, with proper policies and procedures in place. Finally, they should be
issued on cryptographic smartcards for portability and security. 

BTW, nothing wrong with an internal self-signed CA for internal use only. As others
mentioned though, chaining a commercial root cert with an internal intermediate is
expensive - I don't see the benefits for the extra cost.

Mike



Mike Wiseman
Department of Information Security
University of Toronto


 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy
Sent: September-30-09 10:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Discontinuance of Thawte personal email certificates and Web of
Trust

Ignoring personal accounts, it would be interesting to see EDUCAUSE (identity & access
mgmt) investigate whether this can be provided to EDUs. Similar to the way .edu is managed
by EDUCAUSE, perhaps it's possible to obtain an EDUCAUSE chained root cert by one of the
existing roots (IPS?) and then allow EDUs to issue email/TLS certs for themselves using an
EDUCAUSE hosted interface. The ability to do this for TLS (SSL) certs alone would be a
significant win, from a financial and security perspective, for the EDU community.

jeff






Gary Flynn wrote:

https://search.thawte.com/support/ssl-digital-certificates/index?page=conten
t&id=SO12658

Attachment: smime.p7s
Description:

Current thread:

Re: Discontinuance of Thawte personal email certificates and Web of Trust David Bowie (Sep 30)
- <Possible follow-ups>
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust James R. Pardonek (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Connelly (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Plesco, Todd (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Layng (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Mike Wiseman (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Scott Dier (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Charles Hedrick (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Jeremy Mooney (Sep 30)