Thawte

Last updated

Thawte
Thawte logo.svg
Product type Public key certificates
Owner DigiCert Inc.
CountrySouth Africa
Introduced1995;29 years ago (1995)
MarketsWorld
Website www.thawte.com

Thawte Consulting (pronounced "thought"[ citation needed ]) is a certificate authority (CA) for X.509 certificates. Thawte was founded in 1995 by Mark Shuttleworth in South Africa. As of December 30, 2016, its then-parent company, Symantec Group, was collectively the third largest public CA on the Internet with 17.2% market share. [1]

Contents

History

Thawte was originally run from Mark Shuttleworth's parents' garage. Shuttleworth aimed to produce a secure server not fettered by the restrictions on the export of cryptography which had been imposed by the United States. The server, Sioux, was a fork of the Apache HTTP server; it was later integrated with the Stronghold web server as Thawte began to concentrate more on their certification activities. [2]

In 1999, Verisign acquired Thawte in a stock purchase from Shuttleworth for US $575 million. [3] Both Verisign and Thawte had certificates in the first Netscape browsers, and were thus "grandfathered" into all other web browsers. Before Verisign's purchase, they each had about 50% of the market. Verisign's certificate rollover was due to take place on 1 January 2000—an unfortunate choice considering the imminent Y2K bug. (Thawte had a similar rollover in July 1998.) The purchase of Thawte ensured there would be no business loss over Y2K. [4]

Proceeds from the sale enabled Shuttleworth to become the second space tourist [5] and to found the Ubuntu project through the creation of Canonical. [6] [7]

In August 2010, Symantec acquired Verisign's security business, including Thawte. [8]

Thawte is now part of DigiCert with its acquisition of Symantec's web security assets in 2017. [9]

Root certificate untrust

Following Thawte's improper issuance of certificates and a dispute with Google, the GeoTrust Root Certificate became untrusted. [10] This led to the sale of Symantec's certificate business which included Thawte in August 2017 to Thoma Bravo LLC for $1 billion [11] with the intention of merging it with DigiCert. [12]

From 1 December 2017, Thawte started to issue all new certificates under the DigiCert Trusted Root TLS Certificate. [13]

Web of Trust

The Thawte Web of Trust was discontinued on 16 November 2009. [14] Thawte used to issue free email certificates and the Thawte Web of Trust was the optional identity verification mechanism for it. To obtain a free Thawte email certificate, a person needed to sign up for a Thawte FreeMail account which allowed a person to create as many certificates as they wanted. Although each certificate was associated with exactly one email address, multiple email addresses could have been associated with a single Thawte FreeMail account. So if a person had more than one email address, they could have created a different certificate for each of them through the same account.

Associating the Thawte FreeMail account with the real identity of the person owning was based on a Web of trust model. The person's identity was assured by meeting face-to-face with one or more "Thawte Notaries" who needed to see identification and keep a copy of it (for at least five years). Points were assigned by the notaries. The number of points a notary could have assigned ranges from 10 to 35. In general, the more experienced a notary was the more points they could have assigned (see table below). Notaries who were directly verified by Thawte, through events Thawte attended or held, automatically could have issued 35 points without needing to gain experience.

The number of points determined what that person's account can do. With fewer than 50 points, the certificates issued had "Thawte Freemail Member" in the name field. With 50 or more points, the certificates had the person's name in it. The presence of the person's real name in the certificate can be useful for identifying the certificate (e.g., when stored in a key store) and to help the recipient to recognise and trust the certificate. For the purposes of signing and encrypting both types of certificates could be used in the same way, because both types of certificates had the person's email address in it.

With 100 or more points, a person became a Thawte Notary. When a person becomes a notary, they were initially listed underneath their country. They could then change that location and add text to advertise the services they offer. Changes to the advertising text were approved by Thawte and the notary was placed in a pending state while it waits approval. The approval process could take several weeks, during which the person's advertisement was not published and the system did not let them access it as a notary. Cross notarisation was not allowed: a notary could not notarise a person who had notarised them.

Assertions made
by the notary
Maximum points that
the notary may award
010
515
1020
1525
2530
3535

After end of life

Thawte Notaries have been submitting minimal information to the Gossamer Spider Web of Trust ("GSWoT"; a grass-roots OpenPGP PKI) for safe-keeping in hopes to increase the longevity of their earned trust points. The collaborative effort aims to bind Thawte Notary names and email addresses to their now-existing entry on Thawte's Web of Trust Notary Map. Thawte Notaries from within and without GSWoT are performing the validations. The initiative will bear no fruit if Thawte Notaries fail to find or create a WoT that will recognise their former status as a Thawte Web of Trust Notary. The Thawte WoT Notaries List on GSWoT was maintained until 16 November 2010. CAcert, the free certification authority, took over a large part of the participants of the Thawte Web of Trust through a special programme. [15]

See also

Related Research Articles

X.500 is a series of computer networking standards covering electronic directory services. The X.500 series was developed by the Telecommunication Standardization Sector of the International Telecommunication Union (ITU-T). ITU-T was formerly known as the Consultative Committee for International Telephony and Telegraphy (CCITT). X.500 was first approved in 1988. The directory services were developed to support requirements of X.400 electronic mail exchange and name lookup. The International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) were partners in developing the standards, incorporating them into the Open Systems Interconnection suite of protocols. ISO/IEC 9594 is the corresponding ISO/IEC identification.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities such as e-commerce, internet banking and confidential email. It is required for activities where simple passwords are an inadequate authentication method and more rigorous proof is required to confirm the identity of the parties involved in the communication and to validate the information being transferred.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">Root certificate</span> Certificate identifying a root authority

In cryptography and computer security, a root certificate is a public key certificate that identifies a root certificate authority (CA). Root certificates are self-signed and form the basis of an X.509-based public key infrastructure (PKI). Either it has matched Authority Key Identifier with Subject Key Identifier, in some cases there is no Authority Key identifier, then Issuer string should match with Subject string. For instance, the PKIs supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">Verisign</span> American Internet company

Verisign Inc. is an American company based in Reston, Virginia, that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc country-code top-level domains, and the back-end systems for the .jobs and .edu sponsored top-level domains.

<span class="mw-page-title-main">Gen Digital</span> Multinational software company

Gen Digital Inc. is a multinational software company co-headquartered in Tempe, Arizona and Prague, Czech Republic. The company provides cybersecurity software and services. Gen is a Fortune 500 company and a member of the S&P 500 stock-market index. The company also has development centers in Pune, Chennai and Bangalore. Its portfolio includes Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner.

CAcert.org is a community-driven certificate authority that issues free X.509 public key certificates. CAcert.org relies heavily on automation and therefore issues only Domain-validated certificates.

CyberTrust was a security services company formed in Virginia in November 2004 from the merger of TruSecure and Betrusted. Betrusted previously acquired GTE Cybertrust. Cybertrust acquired a large stake in Ubizen, a European security services firm based in Belgium, to become one of the largest information security firms in the world. It was acquired by Verizon Business in 2007. In 2015, the CyberTrust root certificates were acquired by DigiCert, Inc., a leading global Certificate Authority (CA) and provider of trusted identity and authentication services.

GeoTrust is a digital certificate provider. The GeoTrust brand was bought by Symantec from Verisign in 2010, but agreed to sell the certificate business in August 2017 to private equity and growth capital firm Thoma Bravo LLC. GeoTrust was the first certificate authority to use the domain-validated certificate method which accounts for 70 percent of all SSL certificates on the Internet. By 2006, GeoTrust was the 2nd largest certificate authority in the world with 26.7 percent market share according to independent survey company Netcraft.

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates, acting as a certificate authority (CA) and trusted third party.

The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a voluntary consortium of certification authorities, vendors of Internet browser and secure email software, operating systems, and other PKI-enabled applications that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates that chain to a trust anchor embedded in such applications. Its guidelines cover certificates used for the SSL/TLS protocol and code signing, as well as system and network security of certificate authorities.

DigiNotar was a Dutch certificate authority owned by VASCO Data Security International, Inc.

Convergence was a proposed strategy for replacing SSL certificate authorities, first put forth by Moxie Marlinspike in August 2011 while giving a talk titled "SSL and the Future of Authenticity" at the Black Hat security conference. It was demonstrated with a Firefox addon and a server-side notary daemon.

<span class="mw-page-title-main">Certificate Authority Security Council</span> Organization

The Certificate Authority Security Council (CASC) is a multi-vendor industry advocacy group created to conduct research, promote Internet security standards and educate the public on Internet security issues.

Certificate Transparency (CT) is an Internet security standard for monitoring and auditing the issuance of digital certificates.

<span class="mw-page-title-main">Domain-validated certificate</span>

A domain validated certificate (DV) is an X.509 public key certificate typically used for Transport Layer Security (TLS) where the domain name of the applicant is validated by proving some control over a DNS domain. Domain validated certificates were first distributed by GeoTrust in 2002 before becoming a widely accepted method.

Trustico is a dedicated SSL certificate provider, They are headquartered in the United Kingdom.

References

  1. "Usage of SSL certificate authorities for websites" . Retrieved 30 December 2016.
  2. "Mark's millions". News24.
  3. "VeriSign Acquires Thawte, Signio for More Than $1.2 Billion". 21 December 1999. Retrieved 30 August 2012.
  4. http://www.bradgreen.net/web_portfolio/fpki/documents/y2kcerts.pdf [ dead link ]
  5. "Soyuz Docks as Shuttleworth and Crew Begin Week-Long Stay at Station". SPACE.com. 27 April 2002. Archived from the original on 6 June 2002. Retrieved 2 January 2008.
  6. "The Ubuntu Story". Archived from the original on 15 October 2012. Retrieved 21 October 2007.
  7. "Canonical's Mark Shuttleworth on dueling open-source foundations".
  8. "VeriSign's Security Business is Now Part of Symantec" (PDF). 9 August 2010. Archived from the original (PDF) on 24 September 2015. Retrieved 9 August 2010.
  9. Kerner, Sean Michael (31 October 2017). "DigiCert Closes Acquisition of Symantec's Website SSL Security Unit". eWeek. Retrieved 1 July 2020.
  10. "Google to kill Symantec certs in Chrome 66, due in early 2018" . Retrieved 8 January 2018.
  11. "Symantec to sell Web certificates business to Thoma Bravo: sources". 2 August 2017 via www.reuters.com.
  12. "DigiCert Completes Acquisition of Symantec's Website Security and Related PKI Solutions - DigiCert". DigiCert. Retrieved 8 January 2018.
  13. "Thawte® Global SSL Certificates". www.ssltrust.com.au.
  14. "Frequently Asked Questions for the EOL of WOT / Class One" . Retrieved 24 July 2009.
  15. "Tverify-Programme". wiki.cacert.org. Retrieved 23 October 2017.