Wednesday, October 15, 2003

Web Of Trust - Blog as Authentication

I ran across Thawte’s Web of Trust page the other day. It’s an interesting idea, and appealing to a cheap bastard like me since it’s free. And as email signing has been suggested as a technology that could help combat spam, it appears to be worth looking into.

The part I don’t like, though, is that I have to appear before a Notary in person. See, I feel I have a fairly strong online identity – most people reading this probably feel pretty confident that I am in fact Craig Andera, who works at DevelopMentor and maintains this blog. So I’d like the opportunity to be awarded a cert based on readers of this web log vouching for my identity. Basically, I’m viewing my blog as an authentication mechanism – a sort of voiceprint if you will.

Now, I certainly understand why they haven’t set it up this way – in general blogs are a pretty weak form of authentication, and anyone could claim to be someone else by setting up a weblog. But since I’m lazy and selfish, I just think about my own particular case. The fact that I’m on the domain and have been writing about generally the same things for months now could in theory act as a reasonable assurance of my identity.


  1. And how does Thawte's WOT differ from PGP? Looks like Thawte is the one who assigns trust as opposed to the individuals that make up the web. At least with PGP I could decide who was trustworthy and who was not.

    I think we should get a group of folks together and agree to become evil notaries just to prove how broken their system can get ;-)

  2. Yes, Thawte is the one who assigns trust...just like they do for SSL server certs.

    I'm not familiar with PGP, although in retrospect, duh - I should have remembered it. Thanks for reminding me - time to go educate myself a little!

    BTW, sign me up for your evil cult. ;)

  3. Yeah, PGP is the same idea, only you don't need Thawte (or any other central authority) at all - you can control yourself who do you trust to send you messages, who do you trust to verify other's signatures, etc.