Thawte "Web of Trust" a source of Identity Theft?

Discussion in 'Computer Security' started by John Fuses, Feb 2, 2004.

  1. John Fuses

    John Fuses Guest

    I'm interested in some feedback on the privacy implications of
    participating in Thawte's Web of Trust program via its notaries.

    If I must present sensitive credentials to between two and five
    parties to have my identity certified (or up to ten to become a
    notary), am I not running a substantial risk of identity-theft? These
    credentials are among the most sensitive: passport, drivers license,
    social security/national ID card. If I were an unscrupulous notary, I
    could collect this information and pass it on to others at some profit
    or political gain.

    Even if I were a reputable notary, a thief could target a popular
    notary, who must keep records of this information for years. Why
    would I want to become a notary, and have the liability of dozens or
    hundreds of people's identification information?

    While PGP's web of trust is less strict (and relies more on knowing
    the character and capabilities of your trusted introducer), there
    appears to be a MUCH lower risk to all parties involved.

    Am I missing a perspective under which this information remains
    secure?

    John
     
    John Fuses, Feb 2, 2004
    #1
    1. Advertising

  2. John Fuses

    kulm_nd Guest

    Most notaries keep nothing worth stealing. They look at the ID and certify
    the papers but keep no information or copies of the document. If a notary
    takes notes I would demand them and go somewhere else to sign the papers.

    --

    ************************************************

    g-w


    "John Fuses" <> wrote in message
    news:...
    > I'm interested in some feedback on the privacy implications of
    > participating in Thawte's Web of Trust program via its notaries.
    >
    > If I must present sensitive credentials to between two and five
    > parties to have my identity certified (or up to ten to become a
    > notary), am I not running a substantial risk of identity-theft? These
    > credentials are among the most sensitive: passport, drivers license,
    > social security/national ID card. If I were an unscrupulous notary, I
    > could collect this information and pass it on to others at some profit
    > or political gain.
    >
    > Even if I were a reputable notary, a thief could target a popular
    > notary, who must keep records of this information for years. Why
    > would I want to become a notary, and have the liability of dozens or
    > hundreds of people's identification information?
    >
    > While PGP's web of trust is less strict (and relies more on knowing
    > the character and capabilities of your trusted introducer), there
    > appears to be a MUCH lower risk to all parties involved.
    >
    > Am I missing a perspective under which this information remains
    > secure?
    >
    > John
     
    kulm_nd, Feb 2, 2004
    #2
    1. Advertising

  3. John Fuses

    Joe Harrison Guest

    "John Fuses" <> wrote in message
    news:...
    > I'm interested in some feedback on the privacy implications of
    > participating in Thawte's Web of Trust program via its notaries.


    > If I were an unscrupulous notary, I
    > could collect this information and pass it on to others at some profit


    > Even if I were a reputable notary, a thief could target a popular
    > notary, who must keep records of this information for years.


    Theoretically I guess you are correct, it's always good to have people
    around who consider possible downsides and ask "what if."

    But in practice I don't think this would be a good source of material.
    Thawte notaries keep literally identity-related documents, in practice this
    usually means photocopies of passports or other government-issue national
    identity documents. Notaries don't usually keep things more useful to a
    scammer, for example proof of address documentation.

    Look at it from the other side, imagine you are trying to impersonate
    someone for gain. What use exactly is a partial photocopy of their passport?
    Wouldn't you rather get your hands on a discarded utility bill?

    Joe
     
    Joe Harrison, Feb 3, 2004
    #3
  4. John Fuses

    John Fuses Guest

    g-w,

    When I used the term "notary," I meant a trust-assigning member of the
    Thawte "Web of Trust" as defined here:
    http://www.thawte.com/html/COMMUNITY/wot/procedures.html

    Thawte notaries must keep copies of the identifying documents.

    A standard notary is a different beast entirely, and I'd agree with
    your assessment there.

    John

    "kulm_nd" <> wrote in message news:<IRzTb.35937$P%>...
    > Most notaries keep nothing worth stealing. They look at the ID and certify
    > the papers but keep no information or copies of the document. If a notary
    > takes notes I would demand them and go somewhere else to sign the papers.
    >
    > --
    >
    > ************************************************
    >
    > g-w
    >
    >
    > "John Fuses" <> wrote in message
    > news:...
    > > I'm interested in some feedback on the privacy implications of
    > > participating in Thawte's Web of Trust program via its notaries.
    > >
    > > If I must present sensitive credentials to between two and five
    > > parties to have my identity certified (or up to ten to become a
    > > notary), am I not running a substantial risk of identity-theft? These
    > > credentials are among the most sensitive: passport, drivers license,
    > > social security/national ID card. If I were an unscrupulous notary, I
    > > could collect this information and pass it on to others at some profit
    > > or political gain.
    > >
    > > Even if I were a reputable notary, a thief could target a popular
    > > notary, who must keep records of this information for years. Why
    > > would I want to become a notary, and have the liability of dozens or
    > > hundreds of people's identification information?
    > >
    > > While PGP's web of trust is less strict (and relies more on knowing
    > > the character and capabilities of your trusted introducer), there
    > > appears to be a MUCH lower risk to all parties involved.
    > >
    > > Am I missing a perspective under which this information remains
    > > secure?
    > >
    > > John
     
    John Fuses, Feb 3, 2004
    #4
  5. John Fuses

    John Fuses Guest

    Joe,

    A more careful rereading of the procedure does show a way to mitigate
    the information leakage.

    If you used two forms of ID that did not bind to the sensitive
    information (ie: no drivers license, social/health card, tax ID, etc.)
    the information is less usable.

    At this point I'm thinking the best options are passport (or two) and
    birth certificate. Do any other options come to mind?

    John

    "Joe Harrison" <4m.co.uk> wrote in message news:<401f8c79$0$13349$>...
    > "John Fuses" <> wrote in message
    > news:...
    > > I'm interested in some feedback on the privacy implications of
    > > participating in Thawte's Web of Trust program via its notaries.

    >
    > > If I were an unscrupulous notary, I
    > > could collect this information and pass it on to others at some profit

    >
    > > Even if I were a reputable notary, a thief could target a popular
    > > notary, who must keep records of this information for years.

    >
    > Theoretically I guess you are correct, it's always good to have people
    > around who consider possible downsides and ask "what if."
    >
    > But in practice I don't think this would be a good source of material.
    > Thawte notaries keep literally identity-related documents, in practice this
    > usually means photocopies of passports or other government-issue national
    > identity documents. Notaries don't usually keep things more useful to a
    > scammer, for example proof of address documentation.
    >
    > Look at it from the other side, imagine you are trying to impersonate
    > someone for gain. What use exactly is a partial photocopy of their passport?
    > Wouldn't you rather get your hands on a discarded utility bill?
    >
    > Joe
     
    John Fuses, Feb 3, 2004
    #5
  6. PMFJI, but I tended to agree with your OP. A WOT "Notary" has none of
    the built-in "trustworthiness" of a legal Notary Public -- registration
    with a governmental overseer and a monetary bond to back up claims for
    indiscretions/errors/omissions. A WOT "Notary" is just some schmoe who
    has played along in the game and racked up the necessary points to
    arrive at their exalted position. Your observations and paranoia in
    this regard is right on, IMHO (and all of us who use/have digital ID's
    are paranoids by definition, so no offense intended by using the term).

    And while you have me waxing philosophical, what true benefit (other
    than a free digital ID from Thawte) is there to belonging to a WOT or
    enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
    when I have presented forged identity documents to a "Notary"). But
    apparently with Thawte's parent company, VeriSign, I am who I am if I
    just have USD 14.95 per year to part with.

    John Fuses wrote:

    > Joe,
    >
    > A more careful rereading of the procedure does show a way to mitigate
    > the information leakage.
    >
    > If you used two forms of ID that did not bind to the sensitive
    > information (ie: no drivers license, social/health card, tax ID, etc.)
    > the information is less usable.
    >
    > At this point I'm thinking the best options are passport (or two) and
    > birth certificate. Do any other options come to mind?
    >
    > John
    >
    > "Joe Harrison" <4m.co.uk> wrote in message news:<401f8c79$0$13349$>...
    >
    >>"John Fuses" <> wrote in message
    >>news:...
    >>
    >>>I'm interested in some feedback on the privacy implications of
    >>>participating in Thawte's Web of Trust program via its notaries.

    >>
    >>
    >>
    >>>If I were an unscrupulous notary, I
    >>>could collect this information and pass it on to others at some profit

    >>
    >>
    >>
    >>>Even if I were a reputable notary, a thief could target a popular
    >>>notary, who must keep records of this information for years.

    >>
    >>Theoretically I guess you are correct, it's always good to have people
    >>around who consider possible downsides and ask "what if."
    >>
    >>But in practice I don't think this would be a good source of material.
    >>Thawte notaries keep literally identity-related documents, in practice this
    >>usually means photocopies of passports or other government-issue national
    >>identity documents. Notaries don't usually keep things more useful to a
    >>scammer, for example proof of address documentation.
    >>
    >>Look at it from the other side, imagine you are trying to impersonate
    >>someone for gain. What use exactly is a partial photocopy of their passport?
    >>Wouldn't you rather get your hands on a discarded utility bill?
    >>
    >>Joe
     
    Ralph A. Jones, Feb 3, 2004
    #6
  7. John Fuses

    John Fuses Guest

    Ralph,

    Actually, let's turn up the paranoia to 11...

    Presume I want minimum financial identity theft risk, and I present
    passport and birth certificate to the notary. Next presume one or
    more WOT notaries are affiliated with non-governmental military
    ogranizations bent on violent destabilization of established powers
    (I'm trying not to use the T word).

    That would, in my opinion, be an EXCELLENT way of collecting travel
    documents for later forging. How would >I< know that I've entered and
    exited the country fifteen times? It certainly wouldn't show up on my
    credit report.

    I'm thinking that WOT notaries should be more like U.S. state
    notaries, who have liability for wrongdoing, and do not (as another
    poster pointed out) retain copies of certified documents, but simply a
    record of the certification event itself.

    John

    "Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message news:<aBTTb.93$>...
    > PMFJI, but I tended to agree with your OP. A WOT "Notary" has none of
    > the built-in "trustworthiness" of a legal Notary Public -- registration
    > with a governmental overseer and a monetary bond to back up claims for
    > indiscretions/errors/omissions. A WOT "Notary" is just some schmoe who
    > has played along in the game and racked up the necessary points to
    > arrive at their exalted position. Your observations and paranoia in
    > this regard is right on, IMHO (and all of us who use/have digital ID's
    > are paranoids by definition, so no offense intended by using the term).
    >
    > And while you have me waxing philosophical, what true benefit (other
    > than a free digital ID from Thawte) is there to belonging to a WOT or
    > enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
    > when I have presented forged identity documents to a "Notary"). But
    > apparently with Thawte's parent company, VeriSign, I am who I am if I
    > just have USD 14.95 per year to part with.
    >
    > John Fuses wrote:
    >
    > > Joe,
    > >
    > > A more careful rereading of the procedure does show a way to mitigate
    > > the information leakage.
    > >
    > > If you used two forms of ID that did not bind to the sensitive
    > > information (ie: no drivers license, social/health card, tax ID, etc.)
    > > the information is less usable.
    > >
    > > At this point I'm thinking the best options are passport (or two) and
    > > birth certificate. Do any other options come to mind?
    > >
    > > John
    > >
    > > "Joe Harrison" <4m.co.uk> wrote in message news:<401f8c79$0$13349$>...
    > >
    > >>"John Fuses" <> wrote in message
    > >>news:...
    > >>
    > >>>I'm interested in some feedback on the privacy implications of
    > >>>participating in Thawte's Web of Trust program via its notaries.
    > >>
    > >>
    > >>
    > >>>If I were an unscrupulous notary, I
    > >>>could collect this information and pass it on to others at some profit
    > >>
    > >>
    > >>
    > >>>Even if I were a reputable notary, a thief could target a popular
    > >>>notary, who must keep records of this information for years.
    > >>
    > >>Theoretically I guess you are correct, it's always good to have people
    > >>around who consider possible downsides and ask "what if."
    > >>
    > >>But in practice I don't think this would be a good source of material.
    > >>Thawte notaries keep literally identity-related documents, in practice this
    > >>usually means photocopies of passports or other government-issue national
    > >>identity documents. Notaries don't usually keep things more useful to a
    > >>scammer, for example proof of address documentation.
    > >>
    > >>Look at it from the other side, imagine you are trying to impersonate
    > >>someone for gain. What use exactly is a partial photocopy of their passport?
    > >>Wouldn't you rather get your hands on a discarded utility bill?
    > >>
    > >>Joe
     
    John Fuses, Feb 4, 2004
    #7
  8. John Fuses

    Joe Harrison Guest

    "Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message
    news:aBTTb.93$...
    > A WOT "Notary" is just some schmoe who
    > has played along in the game and racked up the necessary points to
    > arrive at their exalted position.


    I am myself one of these schmoes. Even schmoes are not stupid however and I
    can tell you that if I decided to embark on a career of crime I would choose
    one that did not leave a cryptographically verified audit trail right back
    to my passport.

    > And while you have me waxing philosophical, what true benefit (other
    > than a free digital ID from Thawte) is there to belonging to a WOT or
    > enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
    > when I have presented forged identity documents to a "Notary"). But
    > apparently with Thawte's parent company, VeriSign, I am who I am if I
    > just have USD 14.95 per year to part with.


    Its value I suppose depends on how you look at it. I would say it is more
    value in terms of asserting identity than is the traditional PGP
    web-of-trust. Also more value than the 14.95 Verisign certificates which I
    believe only certify that your e-mail address belongs to you - the
    "notarized" Thawte equivalents have an additional CN= field which also
    certifies what your name is. If I were to sign the present usenet article
    then you would be pretty sure it really was written by me, or someone
    knowing at least one of my key passphrases.

    There are several downsides as you point out - firstly yes when I previously
    showed Thawte my passport I could have maybe fooled them with a bogus
    document showing a false identity. There must be easier ways to perpetrate
    forged usenet posts however.

    The other obvious problem is that if I have a common first and last name
    (such as Joe Schmoe) then it doe not enable you to know which of the many
    millions of Mr. J. Schmoes worldwide I actually am.

    But both these cases show inherent fundamental problems with identity
    registration and management, rather than problems with Thawte's scheme as
    such. Basically Thawte's web of trust is good at what it's good at, mainly
    simple identity verification for low-to-medium level purposes.
     
    Joe Harrison, Feb 5, 2004
    #8
  9. Joe Harrison wrote:
    > "Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message
    > news:aBTTb.93$...
    >
    >> A WOT "Notary" is just some schmoe who
    >>has played along in the game and racked up the necessary points to
    >>arrive at their exalted position.

    >
    >
    > I am myself one of these schmoes. Even schmoes are not stupid however and I
    > can tell you that if I decided to embark on a career of crime I would choose
    > one that did not leave a cryptographically verified audit trail right back
    > to my passport.
    >
    >
    >>And while you have me waxing philosophical, what true benefit (other
    >>than a free digital ID from Thawte) is there to belonging to a WOT or
    >>enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
    >>when I have presented forged identity documents to a "Notary"). But
    >>apparently with Thawte's parent company, VeriSign, I am who I am if I
    >>just have USD 14.95 per year to part with.

    >
    >
    > Its value I suppose depends on how you look at it. I would say it is more
    > value in terms of asserting identity than is the traditional PGP
    > web-of-trust. Also more value than the 14.95 Verisign certificates which I
    > believe only certify that your e-mail address belongs to you - the
    > "notarized" Thawte equivalents have an additional CN= field which also
    > certifies what your name is. If I were to sign the present usenet article
    > then you would be pretty sure it really was written by me, or someone
    > knowing at least one of my key passphrases.
    >
    > There are several downsides as you point out - firstly yes when I previously
    > showed Thawte my passport I could have maybe fooled them with a bogus
    > document showing a false identity. There must be easier ways to perpetrate
    > forged usenet posts however.
    >
    > The other obvious problem is that if I have a common first and last name
    > (such as Joe Schmoe) then it doe not enable you to know which of the many
    > millions of Mr. J. Schmoes worldwide I actually am.
    >
    > But both these cases show inherent fundamental problems with identity
    > registration and management, rather than problems with Thawte's scheme as
    > such. Basically Thawte's web of trust is good at what it's good at, mainly
    > simple identity verification for low-to-medium level purposes.
    >
    >


    Well said and fair enough.
     
    Ralph A. Jones, Feb 5, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. no-name

    IDENTITY THEFT vulnerability - please comment

    no-name, Aug 25, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    437
    Hard D'isk
    Aug 25, 2004
  2. oj

    Re: Identity theft

    oj, Oct 20, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    394
  3. oj

    Re: Identity theft

    oj, Oct 20, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    456
  4. Anonyma

    thawte certs

    Anonyma, Jan 31, 2007, in forum: Computer Security
    Replies:
    3
    Views:
    474
    traveler 66
    Feb 1, 2007
  5. Lawrence D'Oliveiro

    Theft Is Theft?

    Lawrence D'Oliveiro, Nov 7, 2009, in forum: NZ Computing
    Replies:
    7
    Views:
    529
    Mary Hanna
    Nov 8, 2009
Loading...

Share This Page