Educause Security Discussion mailing list archives
Re: Discontinuance of Thawte personal email certificates and Web of Trust
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Wed, 30 Sep 2009 14:28:21 -0400
I was never a big fan of the Thawte email certs for a couple of reasons, the main one being that the WOT model wasn't applicable to a managed deployment to staff - if that was ever chosen to be done here which it hasn't. I went with the commercial offerings: delegated enrolment/renewal and automated smartcard install for under $10/cert (eg. Comodo, not including smartcard). In thinking about the WOT model, I think a central organizational provisioning system with good policy/procedure is easier to set up and maybe more secure than an internal WOT. IMO, a functional and secure deployment of user certificates is best done using an accredited, reputable, commercial CA with provisioning delegated to a central, institutional group, with proper policies and procedures in place. Finally, they should be issued on cryptographic smartcards for portability and security. BTW, nothing wrong with an internal self-signed CA for internal use only. As others mentioned though, chaining a commercial root cert with an internal intermediate is expensive - I don't see the benefits for the extra cost. Mike Mike Wiseman Department of Information Security University of Toronto From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of jeff murphy Sent: September-30-09 10:48 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Discontinuance of Thawte personal email certificates and Web of Trust Ignoring personal accounts, it would be interesting to see EDUCAUSE (identity & access mgmt) investigate whether this can be provided to EDUs. Similar to the way .edu is managed by EDUCAUSE, perhaps it's possible to obtain an EDUCAUSE chained root cert by one of the existing roots (IPS?) and then allow EDUs to issue email/TLS certs for themselves using an EDUCAUSE hosted interface. The ability to do this for TLS (SSL) certs alone would be a significant win, from a financial and security perspective, for the EDU community. jeff Gary Flynn wrote: https://search.thawte.com/support/ssl-digital-certificates/index?page=conten t&id=SO12658
Attachment:
smime.p7s
Description:
Current thread:
- Re: Discontinuance of Thawte personal email certificates and Web of Trust David Bowie (Sep 30)
- <Possible follow-ups>
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust James R. Pardonek (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Connelly (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Stanclift, Michael (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust jeff murphy (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Plesco, Todd (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Ken Layng (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Mike Wiseman (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Valdis Kletnieks (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Scott Dier (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Charles Hedrick (Sep 30)
- Re: Discontinuance of Thawte personal email certificates and Web of Trust Jeremy Mooney (Sep 30)