In my email today was a sad announcement - Thawte, a well-renowned company providing security solutions to the Internet (mostly SSL certificates for web sites) is canning the free "Web of Trust" service on Nov 16th.Web of Trust was a way to give people some electronic privacy in form of e-mail cryptography via freely-issued certificate.
That's the kind of stuff you'd configure in Tools-Options-Security menu (Outlook Express or Outlook).
I say "some" because the company might still keep your private key in some storage, and whoever has proper laws on their side, may get to that part of your e-privacy.
Any way, it's better to trust ONE government that trust EVERY intermediary provider, hacker, sniffer, rogue admin or the like.
That's called "reduction of attack surface".
"Why would we need Thawte, there are free tools for generating certificates" you'd ask.
Because a certificate has to be trusted, by default, each OS comes with an ample set of "root" certificates, those to whom every computer on the net has absolute (but not everlasting) trust.
Personal WoT certificates are signed by Thawte's CA (which are trusted via pre-installed root certs coming with most OSes) so your wot-secured e-mail would not cause a verification problem.
Anything singed by an untrusted root CA (certificate authority) is NOT trusted by most computers out there and will cause a problem that I briefly explained here.
What is Web-Of-Trust and how it helped keep constitutional right for personal privacy?
WoT is based on Notaries. A WoT Notary is a voluntary (unpaid) person with certain level of trust (not less than 100 points) who can certify that he has seen enrolling persons and verified their national ID (passport, driver license etc) and have recognized that they provided enough proof as of their name. The only piece of info that goes into WoT certificate is person's name and e-mail address, so that addressees (and e-mail client software) could positively identify the authenticity of e-mail correspondence.
"WoT Trust spreads thru the grapevine" one could say.
Basically speaking, you can get free "noname" certificate right now, but you can have your name on it only when you get some points from WoT notaries (by visiting them in person and showing your IDs).
As soon as you get your cert, you could SIGN your e-mail. Any change of your e-mail in transit (except for headers) would be detected by the addressee. In fact, that is like having your written signature on it.
As soon as your addressee has own digital ID, and because he has your public key from your signature on first e-mail, she could ENCRYPT their replies back to you, so that the content of e-mail could not be seen.
That's how privacy works. Both parties must have IDs and there must be a transfer of public key (for ex. via first signed e-mail or offline).
There are alternatives, of course, and I welcome you to discuss them in comments.
I am Sergey Zak and I'm a Thawte Web of Trust notary.





