| System | Maximum points |
|---|---|
| CAcert | 10 |
Visit the notary page for information on assurances.
Information Security
Data security is both part of my work and a personal fascination, and I am a strong supporter of the widespread adoption and everyday use of secure information and communications technology.
Currently, encrypted e-mail isn't the simplest thing in the world, and even in its simplest form it requires a decent understanding that encryption isn't exactly synonymous with security, and that a foundation on concepts of trust and authenticity is required.
Still, it's my hope that the world becomes a safer place for internet communications—for all users, and not just technical initiates.
- PGP: My preferred method of secured e-mail is GNU Privacy Guard, an implementation of the OpenPGP standard. My public key is available on this site or on keyservers such as pgp.mit.edu. I take the web of trust seriously, and my key signing policy is available. I'm eager to participate in keysigning events, and to date I have once even been an organizer.
- X.509: Unfortunately, a less flexible model of trust is the preferred one in practice; the built-in encryption support in most e-mail clients (S/MIME) and web browsers (SSL/TLS) is based on X.509 certificates. However, it would be foolish to deny their ubiquity and, to a point, their utility. Rather than use self-signed certificates, I have opted to participate in the CA/web-of-trust hybrid programs of two certificate authorities. When I make X.509 certificates available, I will cross sign my X.509 and PGP keys as specified in my key signing policy so that you are not limited to simply taking the word of a CA.
- CAcert.org: Any SSL/TLS-secured website I may run is likely to have a certificate from CAcert. CAcert is a global organization dedicated to the ideal of providing free all-purpose X.509 certificates signed by a distinct CA. CAcert's root certificate is already included by default in some OSes and browsers, and will hopefully one day be included by default in all mainstream mail clients and browsers. In the meantime, CAcert's root certificate may be installed manually. CAcert's verification program is based on the participation of volunteer assurers, themselves users of the system, who may assign a number of assurance points upon in-person verification of identity (against IDs such as driver's licenses or passports). After collecting sufficient assurance points, the user is granted more flexibility and eventually assurer status—the ability to grant points to others. In other words, it's somewhat similar to the PGP web of trust except that the CA is responsible for the vote counting, and you as the installer of the root certificate must grant ultimate trust in the CA as an introducer. While less flexible than a real web of trust, this policy is on par with (or better than) some CAs installed by default in your web browser. (I am now an assurer.)
- Thawte Freemail: Thawte is one of the world's most popular X.509 CAs, whose root certificate is installed by default almost universally in web browsers and S/MIME-capable mail clients. Thawte's Freemail program allows your identity to be assured by volunteer notaries in a way almost identical to CAcert's process. After collecting sufficient Trust Points, your X.509 certificate contains your real name instead of only your e-mail address. These certificates are only valid for e-mail use, but the program bears participation by virtue of the fact that Thawte already has a ubiquitous root certificate, and it's interesting to see that such a popular CA has begun supporting free client certificates by volunteer vetting. (I am now an assurer.)
Copyright © 2006-2009 Peter S. May. Powered by halbert.
