Thawte Transfer Program is temporarily stopped
![/!\](/moin/rightsidebar/img/alert.png "/!\"){kind=small}
Due to the lack of policy for thawte notary transfer program in the perspective of CAcert audit in Mozilla, as we lack of benevolent people to be in charge of this policy, we are forced to stop temporarily the transfer program because we cannot audit the process.
We are sorry for the inconvenience and we thanks all the people involved in the process and hope to have them back as soon as we have a policy in force.
Please see :
Please feel free to contact support@cacert.org if you are interested in helping in writing that policy. We would appreciate to pursue the trust transfer program.
Information for Notaries/Assurers from other Certificate Authorities
Contents
- Thawte Transfer Program is temporarily stopped
- Information for Notaries/Assurers from other Certificate Authorities
- CAcert tverify team
- Is there any others Certificate Authorities that can be accepted for point transfer ?
I am a Thawte notary : Can I be recognized as a CAcert trusted user or assurer?
Yes! If you are a Thawte trusted user, you can gain 50 points. As a Thawte WoT Notary, up to 150 points !
You provide : |
How many trust points you get ? |
comments |
your assured Thawte X509 cert. |
50 |
If you are a verified Thawte user, you can get 50 CAcert Points for connecting to the CAcert website and telling your browser to send your certificate details. So, if you just supply a Thawte certificate the system should automatically issue 50 points. |
A Thawte notary listing entry |
+40 |
If you are a Thawte Notary, and you provide your Thawte notary listing entry URL, then you will get another 40 points. |
As your request is reviewed by real people, it may take some time before you get the extra points over 50. So do not worry, the reply will come as soon as possible!
For more details go to https://tverify.cacert.org
Can I keep my already collected CAcert points with Thawte Transfered points?
No, it is forbidden. So if you plan to get points from a CAcert assurer, do it after you get points via Thawte Transfer.
Example :
- you have no trust point.
- step 1 : get 50 points from Thawte transfer
- step 2 : get another 50 points from CAcert assurers
So you'll have 50+50 = 100 points. The opposite way is *impossible* 
Example :
- you have no trust point
- step 1 : you get 50 points from CAcert assurers
- step 2 : you get 50 points from Thawte transfer
So you'll have 50+0 = only 50 points as Thawte transfer points do not cumulate with already existing assurance points.
Warning
Before starting the Tverify process, the user is highly encouraged to mention his CAcert main email address on the T..... notary directory. Of course, the user can remove the email address after he's got assured.
Should you change the details of your Thawte Notary listing, such as to add your email address, your listing will be pulled from the Notary directory until such time as the change has been approved by Thawte. This could take as long as a week.
Troubleshooting
You must load a trusted thawte email cert in your browser first
This site expects that you have a Thawte certificate loaded in your browser's certificate cache. If you receive an error -12xxx trying to load the site, it means that your browser was unable to present a Thawte certificate
- Doesn´t work with Mozilla! With IE it works. Jens Kühnel
- Did not try with Mozilla, but Firefox works. Christof Dallermassl
- When requesting the Thawte certificate with Mozilla/Firefox, do not restrict the "Netscape Certificate Type" to "S/MIME". That means it will not work for "SSL CLient Authentication" (but this is needed for verification). Thomas Henlich
What is a Thawte Notary URL?
You should have something like https://www.thawte.com/cgi/personal/wot/directory.exe?node=00000 where 00000 is the node number where you appear in the notary map.
Can I do a Cert Login to CAcert.org with my Thawte Cert?
Question: Is there any chance of getting the certificate login to work with Thawte Certs? like the tverify portion of the site?
Answer:
Yes and no...
Technically it's possible, but from the point of trying to increase the number of certs we have issued it's not a good idea as it wouldn't promote the use of our client certs...
What passphrase should I use, do I make one up?
Use the passphrase that you would normally login to CAcert with, not Thawte. The name on your Thawte cert should match the name you have listed in the CAcert system.
Miscellaneous comments from support team & more
see here ThawteNotary/extra
CAcert tverify team
What is the process for people checking requests?
There will be up to 2 pieces of information in each request:
- Details extracted from a Thawte Certificate (name, email address etc)
- Thawte Notary URL
Once you receive a request you need to verify the name and hopefully the email address of the notary exists in the URL presented, if not reject the request and state the reason as unable to locate.
If details match 100% there should generally be no reason to reject requests, but as always, if in doubt ask the mailing list or reject the request asking for further clarification, there is no harm in trusting people, but always verify!
Usually there are no more then a handful of requests per week, other times there won't be any for a few weeks, and it shouldn't take more then a minute to process each request.
Transfer Process behind-the-scenes...
Tverify Notifications come with 2 links in the email
One is the person's Thawte listing; this should be verified to make sure they are indeed listed.
Another link will be the CAcert link to VOTE on the application. If there is any reason to doubt the assertion, or any other reason you would decline the assertion in person, then you vote it down. You may also put in comments as to WHY you voted the way you did.
As far as finding their data on the website? Thawte now has a search by name for Notaries, you can also search by location which should be listed on their ID. But really part of the application is that THEY provide a link to their Thawte Notary listing, like this...
https://www.thawte.com/cgi/personal/wot/directory.exe?node=12345
So, we know that by signing into https://tverify.cacert.org that
- they have possession of a cert issued from Thawte
- the person named in the cert has been verified by Thawte's Web of Trust
- at least 1 of the emails listed is valid in that cert belongs to a CAcert.org user
It's up to us as voting members to verify the details that can't be programatically handled, that means checking the ID, and signing into the Thawte site and validating their name is listed as a notary.
As a side note, if a Thawte user with only 50 points (verified user but not a Notary) signs into tverify, the system will automatically assign them 50 points, as all the checking can be done automatically.
Is there any others Certificate Authorities that can be accepted for point transfer ?
Yes, if the process is similar to Thawte or CAcert Web of Trust process.
Basic requirements for Points Transfer others than from Thawte
Please try to answer questions / provide documents about your certificate provider (named "A") :
Who is A ?
Which country is A from?
- Where can we get information about them?
What personal details did "A" verify, before issueing you the certificate?
- Was there a face-to-face meeting?
- What documents did they check?
- Can their certificates be used for client-certificate authentication to
- Websites?
- Is there a CPS in english available?
Has "A" been audited by an independent auditor? According to which criteria?
(from Sourcerer)
Example : Spanish Public C.A.
For example, we may consider the Spanish government certification process
Q.
I would like to know if it's possible becoming an assurer through the the spanish public C.A. (http://www.cert.fnmt.es/ ) that is used to access to the online administration in order to register work contracts, pay taxes etc. This certificate is given after a public worker certifies your identity comparing to the national ID card ?
A.
Maybe ! The case is pending.
The main assurance process is described here more details
process :
you've got to :
- download the CA root cert,
pre-register via Internet with first and last names / full address in Spain, phone numbers (no Date of Birth but they mention an id code "NIF" ?) => you get an ID code
- you go the the closest office near you for a face-to-face meeting with an employee of a spanish public service with the id code from the web site and an id paper, you complete the registration.
- after you can download the certificate from home.
You can have access to many public service web sites with this certificate.
It could be valuable but we would need to get the scanned copy of the id paper to check the Date of Birth.
Unfortunately we are missing of resources to verify the processing of the other's CA and to code the Transfer Process