Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Thawte "Web of Trust" a source of Identity Theft?

Reply
Thread Tools

Thawte "Web of Trust" a source of Identity Theft?

 
 
John Fuses
Guest
Posts: n/a
 
      02-02-2004
I'm interested in some feedback on the privacy implications of
participating in Thawte's Web of Trust program via its notaries.

If I must present sensitive credentials to between two and five
parties to have my identity certified (or up to ten to become a
notary), am I not running a substantial risk of identity-theft? These
credentials are among the most sensitive: passport, drivers license,
social security/national ID card. If I were an unscrupulous notary, I
could collect this information and pass it on to others at some profit
or political gain.

Even if I were a reputable notary, a thief could target a popular
notary, who must keep records of this information for years. Why
would I want to become a notary, and have the liability of dozens or
hundreds of people's identification information?

While PGP's web of trust is less strict (and relies more on knowing
the character and capabilities of your trusted introducer), there
appears to be a MUCH lower risk to all parties involved.

Am I missing a perspective under which this information remains
secure?

John
 
Reply With Quote
 
 
 
 
kulm_nd
Guest
Posts: n/a
 
      02-02-2004
Most notaries keep nothing worth stealing. They look at the ID and certify
the papers but keep no information or copies of the document. If a notary
takes notes I would demand them and go somewhere else to sign the papers.

--

************************************************

g-w


"John Fuses" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I'm interested in some feedback on the privacy implications of
> participating in Thawte's Web of Trust program via its notaries.
>
> If I must present sensitive credentials to between two and five
> parties to have my identity certified (or up to ten to become a
> notary), am I not running a substantial risk of identity-theft? These
> credentials are among the most sensitive: passport, drivers license,
> social security/national ID card. If I were an unscrupulous notary, I
> could collect this information and pass it on to others at some profit
> or political gain.
>
> Even if I were a reputable notary, a thief could target a popular
> notary, who must keep records of this information for years. Why
> would I want to become a notary, and have the liability of dozens or
> hundreds of people's identification information?
>
> While PGP's web of trust is less strict (and relies more on knowing
> the character and capabilities of your trusted introducer), there
> appears to be a MUCH lower risk to all parties involved.
>
> Am I missing a perspective under which this information remains
> secure?
>
> John



 
Reply With Quote
 
 
 
 
Joe Harrison
Guest
Posts: n/a
 
      02-03-2004
"John Fuses" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) om...
> I'm interested in some feedback on the privacy implications of
> participating in Thawte's Web of Trust program via its notaries.


> If I were an unscrupulous notary, I
> could collect this information and pass it on to others at some profit


> Even if I were a reputable notary, a thief could target a popular
> notary, who must keep records of this information for years.


Theoretically I guess you are correct, it's always good to have people
around who consider possible downsides and ask "what if."

But in practice I don't think this would be a good source of material.
Thawte notaries keep literally identity-related documents, in practice this
usually means photocopies of passports or other government-issue national
identity documents. Notaries don't usually keep things more useful to a
scammer, for example proof of address documentation.

Look at it from the other side, imagine you are trying to impersonate
someone for gain. What use exactly is a partial photocopy of their passport?
Wouldn't you rather get your hands on a discarded utility bill?

Joe


 
Reply With Quote
 
John Fuses
Guest
Posts: n/a
 
      02-03-2004
g-w,

When I used the term "notary," I meant a trust-assigning member of the
Thawte "Web of Trust" as defined here:
http://www.thawte.com/html/COMMUNITY...rocedures.html

Thawte notaries must keep copies of the identifying documents.

A standard notary is a different beast entirely, and I'd agree with
your assessment there.

John

"kulm_nd" <(E-Mail Removed)> wrote in message news:<IRzTb.35937$P%(E-Mail Removed) igy.com>...
> Most notaries keep nothing worth stealing. They look at the ID and certify
> the papers but keep no information or copies of the document. If a notary
> takes notes I would demand them and go somewhere else to sign the papers.
>
> --
>
> ************************************************
>
> g-w
>
>
> "John Fuses" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I'm interested in some feedback on the privacy implications of
> > participating in Thawte's Web of Trust program via its notaries.
> >
> > If I must present sensitive credentials to between two and five
> > parties to have my identity certified (or up to ten to become a
> > notary), am I not running a substantial risk of identity-theft? These
> > credentials are among the most sensitive: passport, drivers license,
> > social security/national ID card. If I were an unscrupulous notary, I
> > could collect this information and pass it on to others at some profit
> > or political gain.
> >
> > Even if I were a reputable notary, a thief could target a popular
> > notary, who must keep records of this information for years. Why
> > would I want to become a notary, and have the liability of dozens or
> > hundreds of people's identification information?
> >
> > While PGP's web of trust is less strict (and relies more on knowing
> > the character and capabilities of your trusted introducer), there
> > appears to be a MUCH lower risk to all parties involved.
> >
> > Am I missing a perspective under which this information remains
> > secure?
> >
> > John

 
Reply With Quote
 
John Fuses
Guest
Posts: n/a
 
      02-03-2004
Joe,

A more careful rereading of the procedure does show a way to mitigate
the information leakage.

If you used two forms of ID that did not bind to the sensitive
information (ie: no drivers license, social/health card, tax ID, etc.)
the information is less usable.

At this point I'm thinking the best options are passport (or two) and
birth certificate. Do any other options come to mind?

John

"Joe Harrison" <(E-Mail Removed)4m.co.uk> wrote in message news:<401f8c79$0$13349$(E-Mail Removed) .net>...
> "John Fuses" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) om...
> > I'm interested in some feedback on the privacy implications of
> > participating in Thawte's Web of Trust program via its notaries.

>
> > If I were an unscrupulous notary, I
> > could collect this information and pass it on to others at some profit

>
> > Even if I were a reputable notary, a thief could target a popular
> > notary, who must keep records of this information for years.

>
> Theoretically I guess you are correct, it's always good to have people
> around who consider possible downsides and ask "what if."
>
> But in practice I don't think this would be a good source of material.
> Thawte notaries keep literally identity-related documents, in practice this
> usually means photocopies of passports or other government-issue national
> identity documents. Notaries don't usually keep things more useful to a
> scammer, for example proof of address documentation.
>
> Look at it from the other side, imagine you are trying to impersonate
> someone for gain. What use exactly is a partial photocopy of their passport?
> Wouldn't you rather get your hands on a discarded utility bill?
>
> Joe

 
Reply With Quote
 
Ralph A. Jones
Guest
Posts: n/a
 
      02-03-2004
PMFJI, but I tended to agree with your OP. A WOT "Notary" has none of
the built-in "trustworthiness" of a legal Notary Public -- registration
with a governmental overseer and a monetary bond to back up claims for
indiscretions/errors/omissions. A WOT "Notary" is just some schmoe who
has played along in the game and racked up the necessary points to
arrive at their exalted position. Your observations and paranoia in
this regard is right on, IMHO (and all of us who use/have digital ID's
are paranoids by definition, so no offense intended by using the term).

And while you have me waxing philosophical, what true benefit (other
than a free digital ID from Thawte) is there to belonging to a WOT or
enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
when I have presented forged identity documents to a "Notary"). But
apparently with Thawte's parent company, VeriSign, I am who I am if I
just have USD 14.95 per year to part with.

John Fuses wrote:

> Joe,
>
> A more careful rereading of the procedure does show a way to mitigate
> the information leakage.
>
> If you used two forms of ID that did not bind to the sensitive
> information (ie: no drivers license, social/health card, tax ID, etc.)
> the information is less usable.
>
> At this point I'm thinking the best options are passport (or two) and
> birth certificate. Do any other options come to mind?
>
> John
>
> "Joe Harrison" <(E-Mail Removed)4m.co.uk> wrote in message news:<401f8c79$0$13349$(E-Mail Removed) .net>...
>
>>"John Fuses" <(E-Mail Removed)> wrote in message
>>news:(E-Mail Removed) .com...
>>
>>>I'm interested in some feedback on the privacy implications of
>>>participating in Thawte's Web of Trust program via its notaries.

>>
>>
>>
>>>If I were an unscrupulous notary, I
>>>could collect this information and pass it on to others at some profit

>>
>>
>>
>>>Even if I were a reputable notary, a thief could target a popular
>>>notary, who must keep records of this information for years.

>>
>>Theoretically I guess you are correct, it's always good to have people
>>around who consider possible downsides and ask "what if."
>>
>>But in practice I don't think this would be a good source of material.
>>Thawte notaries keep literally identity-related documents, in practice this
>>usually means photocopies of passports or other government-issue national
>>identity documents. Notaries don't usually keep things more useful to a
>>scammer, for example proof of address documentation.
>>
>>Look at it from the other side, imagine you are trying to impersonate
>>someone for gain. What use exactly is a partial photocopy of their passport?
>>Wouldn't you rather get your hands on a discarded utility bill?
>>
>>Joe


 
Reply With Quote
 
John Fuses
Guest
Posts: n/a
 
      02-04-2004
Ralph,

Actually, let's turn up the paranoia to 11...

Presume I want minimum financial identity theft risk, and I present
passport and birth certificate to the notary. Next presume one or
more WOT notaries are affiliated with non-governmental military
ogranizations bent on violent destabilization of established powers
(I'm trying not to use the T word).

That would, in my opinion, be an EXCELLENT way of collecting travel
documents for later forging. How would >I< know that I've entered and
exited the country fifteen times? It certainly wouldn't show up on my
credit report.

I'm thinking that WOT notaries should be more like U.S. state
notaries, who have liability for wrongdoing, and do not (as another
poster pointed out) retain copies of certified documents, but simply a
record of the certification event itself.

John

"Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message news:<aBTTb.93$(E-Mail Removed)>...
> PMFJI, but I tended to agree with your OP. A WOT "Notary" has none of
> the built-in "trustworthiness" of a legal Notary Public -- registration
> with a governmental overseer and a monetary bond to back up claims for
> indiscretions/errors/omissions. A WOT "Notary" is just some schmoe who
> has played along in the game and racked up the necessary points to
> arrive at their exalted position. Your observations and paranoia in
> this regard is right on, IMHO (and all of us who use/have digital ID's
> are paranoids by definition, so no offense intended by using the term).
>
> And while you have me waxing philosophical, what true benefit (other
> than a free digital ID from Thawte) is there to belonging to a WOT or
> enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
> when I have presented forged identity documents to a "Notary"). But
> apparently with Thawte's parent company, VeriSign, I am who I am if I
> just have USD 14.95 per year to part with.
>
> John Fuses wrote:
>
> > Joe,
> >
> > A more careful rereading of the procedure does show a way to mitigate
> > the information leakage.
> >
> > If you used two forms of ID that did not bind to the sensitive
> > information (ie: no drivers license, social/health card, tax ID, etc.)
> > the information is less usable.
> >
> > At this point I'm thinking the best options are passport (or two) and
> > birth certificate. Do any other options come to mind?
> >
> > John
> >
> > "Joe Harrison" <(E-Mail Removed)4m.co.uk> wrote in message news:<401f8c79$0$13349$(E-Mail Removed) .net>...
> >
> >>"John Fuses" <(E-Mail Removed)> wrote in message
> >>news:(E-Mail Removed) .com...
> >>
> >>>I'm interested in some feedback on the privacy implications of
> >>>participating in Thawte's Web of Trust program via its notaries.
> >>
> >>
> >>
> >>>If I were an unscrupulous notary, I
> >>>could collect this information and pass it on to others at some profit
> >>
> >>
> >>
> >>>Even if I were a reputable notary, a thief could target a popular
> >>>notary, who must keep records of this information for years.
> >>
> >>Theoretically I guess you are correct, it's always good to have people
> >>around who consider possible downsides and ask "what if."
> >>
> >>But in practice I don't think this would be a good source of material.
> >>Thawte notaries keep literally identity-related documents, in practice this
> >>usually means photocopies of passports or other government-issue national
> >>identity documents. Notaries don't usually keep things more useful to a
> >>scammer, for example proof of address documentation.
> >>
> >>Look at it from the other side, imagine you are trying to impersonate
> >>someone for gain. What use exactly is a partial photocopy of their passport?
> >>Wouldn't you rather get your hands on a discarded utility bill?
> >>
> >>Joe

 
Reply With Quote
 
Joe Harrison
Guest
Posts: n/a
 
      02-05-2004

"Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message
news:aBTTb.93$(E-Mail Removed)...
> A WOT "Notary" is just some schmoe who
> has played along in the game and racked up the necessary points to
> arrive at their exalted position.


I am myself one of these schmoes. Even schmoes are not stupid however and I
can tell you that if I decided to embark on a career of crime I would choose
one that did not leave a cryptographically verified audit trail right back
to my passport.

> And while you have me waxing philosophical, what true benefit (other
> than a free digital ID from Thawte) is there to belonging to a WOT or
> enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
> when I have presented forged identity documents to a "Notary"). But
> apparently with Thawte's parent company, VeriSign, I am who I am if I
> just have USD 14.95 per year to part with.


Its value I suppose depends on how you look at it. I would say it is more
value in terms of asserting identity than is the traditional PGP
web-of-trust. Also more value than the 14.95 Verisign certificates which I
believe only certify that your e-mail address belongs to you - the
"notarized" Thawte equivalents have an additional CN= field which also
certifies what your name is. If I were to sign the present usenet article
then you would be pretty sure it really was written by me, or someone
knowing at least one of my key passphrases.

There are several downsides as you point out - firstly yes when I previously
showed Thawte my passport I could have maybe fooled them with a bogus
document showing a false identity. There must be easier ways to perpetrate
forged usenet posts however.

The other obvious problem is that if I have a common first and last name
(such as Joe Schmoe) then it doe not enable you to know which of the many
millions of Mr. J. Schmoes worldwide I actually am.

But both these cases show inherent fundamental problems with identity
registration and management, rather than problems with Thawte's scheme as
such. Basically Thawte's web of trust is good at what it's good at, mainly
simple identity verification for low-to-medium level purposes.


 
Reply With Quote
 
Ralph A. Jones
Guest
Posts: n/a
 
      02-05-2004
Joe Harrison wrote:
> "Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message
> news:aBTTb.93$(E-Mail Removed)...
>
>> A WOT "Notary" is just some schmoe who
>>has played along in the game and racked up the necessary points to
>>arrive at their exalted position.

>
>
> I am myself one of these schmoes. Even schmoes are not stupid however and I
> can tell you that if I decided to embark on a career of crime I would choose
> one that did not leave a cryptographically verified audit trail right back
> to my passport.
>
>
>>And while you have me waxing philosophical, what true benefit (other
>>than a free digital ID from Thawte) is there to belonging to a WOT or
>>enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
>>when I have presented forged identity documents to a "Notary"). But
>>apparently with Thawte's parent company, VeriSign, I am who I am if I
>>just have USD 14.95 per year to part with.

>
>
> Its value I suppose depends on how you look at it. I would say it is more
> value in terms of asserting identity than is the traditional PGP
> web-of-trust. Also more value than the 14.95 Verisign certificates which I
> believe only certify that your e-mail address belongs to you - the
> "notarized" Thawte equivalents have an additional CN= field which also
> certifies what your name is. If I were to sign the present usenet article
> then you would be pretty sure it really was written by me, or someone
> knowing at least one of my key passphrases.
>
> There are several downsides as you point out - firstly yes when I previously
> showed Thawte my passport I could have maybe fooled them with a bogus
> document showing a false identity. There must be easier ways to perpetrate
> forged usenet posts however.
>
> The other obvious problem is that if I have a common first and last name
> (such as Joe Schmoe) then it doe not enable you to know which of the many
> millions of Mr. J. Schmoes worldwide I actually am.
>
> But both these cases show inherent fundamental problems with identity
> registration and management, rather than problems with Thawte's scheme as
> such. Basically Thawte's web of trust is good at what it's good at, mainly
> simple identity verification for low-to-medium level purposes.
>
>


Well said and fair enough.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Thawte Certificate Expiry Roedy Green Java 1 08-27-2009 11:34 PM
Re: Thawte certificate renewals only work on legacy OS and browser Dave Miller Java 4 08-18-2008 11:34 PM
thawte certs Anonyma Computer Security 3 02-01-2007 08:24 AM
Difference between HttpContext.Current.User.Identity and identity Impersonation Giovanni Bassi ASP .Net 0 10-20-2003 02:25 PM
Announcement: Thawte's Xorro on Sourceforge: 2-way HTML 2 XSLT development. Colin Webber XML 0 09-16-2003 12:53 PM



Advertisments