Thawte "Web of Trust" a source of Identity Theft?

Thawte "Web of Trust" a source of Identity Theft?: Posted by John Fuses on February 2nd, 2004; I'm interested in some feedback on the privacy implications of
participating in Thawte's Web of Trust program via its notaries.

If I must present sensitive credentials to between two and five
parties to have my identity certified (or up to ten to become a
notary), am I not running a substantial risk of identity-theft? These
credentials are among the most sensitive: passport, drivers license,
social security/national ID card. If I were an unscrupulous notary, I
could collect this information and pass it on to others at some profit
or political gain.

Even if I were a reputable notary, a thief could target a popular
notary, who must keep records of this information for years. Why
would I want to become a notary, and have the liability of dozens or
hundreds of people's identification information?

While PGP's web of trust is less strict (and relies more on knowing
the character and capabilities of your trusted introducer), there
appears to be a MUCH lower risk to all parties involved.

Am I missing a perspective under which this information remains
secure?

John; Posted by kulm_nd on February 2nd, 2004; Most notaries keep nothing worth stealing. They look at the ID and certify
the papers but keep no information or copies of the document. If a notary
takes notes I would demand them and go somewhere else to sign the papers.

--

************************************************

g-w

"John Fuses" <jfuses@hotmail.com> wrote in message
news:c22bbadf.0402021039.67a975c8@posting.google.c om...; Posted by Joe Harrison on February 3rd, 2004; "John Fuses" <jfuses@hotmail.com> wrote in message
news:c22bbadf.0402021039.67a975c8@posting.google.c om...
Theoretically I guess you are correct, it's always good to have people
around who consider possible downsides and ask "what if."

But in practice I don't think this would be a good source of material.
Thawte notaries keep literally identity-related documents, in practice this
usually means photocopies of passports or other government-issue national
identity documents. Notaries don't usually keep things more useful to a
scammer, for example proof of address documentation.

Look at it from the other side, imagine you are trying to impersonate
someone for gain. What use exactly is a partial photocopy of their passport?
Wouldn't you rather get your hands on a discarded utility bill?

Joe; Posted by John Fuses on February 3rd, 2004; g-w,

When I used the term "notary," I meant a trust-assigning member of the
Thawte "Web of Trust" as defined here:
http://www.thawte.com/html/COMMUNITY...rocedures.html

Thawte notaries must keep copies of the identifying documents.

A standard notary is a different beast entirely, and I'd agree with
your assessment there.

John

"kulm_nd" <g-w@ComcastREMOVE.net> wrote in message news:<IRzTb.35937$P%1.28435288@newssvr28.news.prod igy.com>...; Posted by John Fuses on February 3rd, 2004; Joe,

A more careful rereading of the procedure does show a way to mitigate
the information leakage.

If you used two forms of ID that did not bind to the sensitive
information (ie: no drivers license, social/health card, tax ID, etc.)
the information is less usable.

At this point I'm thinking the best options are passport (or two) and
birth certificate. Do any other options come to mind?

John

"Joe Harrison" <joe.harrison@teamware.antisp4m.co.uk> wrote in message news:<401f8c79$0$13349$ed9e5944@reading.news.pipex .net>...; Posted by Ralph A. Jones on February 3rd, 2004; PMFJI, but I tended to agree with your OP. A WOT "Notary" has none of
the built-in "trustworthiness" of a legal Notary Public -- registration
with a governmental overseer and a monetary bond to back up claims for
indiscretions/errors/omissions. A WOT "Notary" is just some schmoe who
has played along in the game and racked up the necessary points to
arrive at their exalted position. Your observations and paranoia in
this regard is right on, IMHO (and all of us who use/have digital ID's
are paranoids by definition, so no offense intended by using the term).

And while you have me waxing philosophical, what true benefit (other
than a free digital ID from Thawte) is there to belonging to a WOT or
enhancing your WOT "score"? Sure, sure, it "proves" who I am (except
when I have presented forged identity documents to a "Notary"). But
apparently with Thawte's parent company, VeriSign, I am who I am if I
just have USD 14.95 per year to part with.

John Fuses wrote:; Posted by John Fuses on February 4th, 2004; Ralph,

Actually, let's turn up the paranoia to 11...

Presume I want minimum financial identity theft risk, and I present
passport and birth certificate to the notary. Next presume one or
more WOT notaries are affiliated with non-governmental military
ogranizations bent on violent destabilization of established powers
(I'm trying not to use the T word).

That would, in my opinion, be an EXCELLENT way of collecting travel
documents for later forging. How would >I< know that I've entered and
exited the country fifteen times? It certainly wouldn't show up on my
credit report.

I'm thinking that WOT notaries should be more like U.S. state
notaries, who have liability for wrongdoing, and do not (as another
poster pointed out) retain copies of certified documents, but simply a
record of the certification event itself.

John

"Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message news:<aBTTb.93$3Z2.73759@news.uswest.net>...; Posted by Joe Harrison on February 5th, 2004; "Ralph A. Jones" <rajones@SPAM_ME_NOT_AT_tconl.com> wrote in message
news:aBTTb.93$3Z2.73759@news.uswest.net...
I am myself one of these schmoes. Even schmoes are not stupid however and I
can tell you that if I decided to embark on a career of crime I would choose
one that did not leave a cryptographically verified audit trail right back
to my passport.

Its value I suppose depends on how you look at it. I would say it is more
value in terms of asserting identity than is the traditional PGP
web-of-trust. Also more value than the 14.95 Verisign certificates which I
believe only certify that your e-mail address belongs to you - the
"notarized" Thawte equivalents have an additional CN= field which also
certifies what your name is. If I were to sign the present usenet article
then you would be pretty sure it really was written by me, or someone
knowing at least one of my key passphrases.

There are several downsides as you point out - firstly yes when I previously
showed Thawte my passport I could have maybe fooled them with a bogus
document showing a false identity. There must be easier ways to perpetrate
forged usenet posts however.

The other obvious problem is that if I have a common first and last name
(such as Joe Schmoe) then it doe not enable you to know which of the many
millions of Mr. J. Schmoes worldwide I actually am.

But both these cases show inherent fundamental problems with identity
registration and management, rather than problems with Thawte's scheme as
such. Basically Thawte's web of trust is good at what it's good at, mainly
simple identity verification for low-to-medium level purposes.; Posted by Ralph A. Jones on February 5th, 2004; Joe Harrison wrote:
Well said and fair enough.

Similar Posts

Identity Theft Follow-Up Question (Help and Support) by mutefan@yahoo.com
MS Word "identity?" (Setup & Deployment) by Hillary
DirectX "Cannot trust file" (Microsoft Windows) by Hossy
(OT) Software to "Wipe" Contents of Hard Drive, Prevent Identity Theft, Etc. (Software & Applications) by benalias@hotmail.invalid
An odd case of email identity theft? (Computer Security) by Wha?