[atlarge-discuss] VC: Thawte's WOT Part 1...

[Walter Schmidt <walts@dorsai.org>]

On Wed, 23 Jul 2003, Joanna Lane wrote:

> ...the Web Of Trust system at www.thawte.com...feedback...would be
> helpful, even putting yourself through the process.

Folks -

So here goes nothing.

First, what one must agree to...

--

 ---  REgards, walts

-------------------------------------------------

Terms and Conditions of Personal Certification
These Terms and Conditions will become effective on the date you submit
the certificate application to Thawte. By submitting these Terms and
Conditions (and certificate application) you are requesting that Thawte
issue a Personal Certificate (certificate) to you and are expressing your
agreement to these terms.

Thawte's Public Certification Services are governed by Thawte's
Certification Practice Statement (the "CPS") as amended from time to time,
which is incorporated by reference into Terms and Conditions. The CPS is
published by Thawte on the Internet at http://www.thawte.com/cps/. You
agree to use the Personal Certificate (certificate) and any related
services only in accordance with the CPS. You demonstrate your knowledge
and acceptance of the terms of this subscriber agreement by either 1)
submitting an application for a Personal Certificate (certificate) to
Thawte, or 2) using the Personal Certificate (certificate), whichever
occurs first.

:: About Personal Certificates ::
A personal certificate is a digital identity document that can be used to
sign digital messages like email and news. It can also be used by other
people to encrypt information that is for your eyes only. Once you
exchange certificates with your friends or business partners you can
correspond over the Internet in complete privacy. The role of the
Certifying Authority Thawte is a Certifying Authority, which means that we
issue digital certificates to consumers and businesses. We are trusted by
almost all the secure software out there to issue certificates that
contain valid identity information. When you request a certificate from
Thawte, you will be able to specify exactly what information goes into
that certificate. Because Thawte plays the role of a trusted introducer in
ecommerce relationships, we have a policy of openness and transparency
with respect to our procedures and our requirements for certification.

This page, and the whole enrollment process, contain a lot of text. None
of it is fine print! It is designed to keep you fully informed about the
information we need from you so that we can be your Certifying Authority.
We prefer to be specific up front rather than after the fact, which means
that we have a lot of text for you to read before you can actually get
your certificate. It is very important that you take the time to read each
page very carefully. If you have questions, feel free to call us or send
us some mail. The good news is that once you have gone through the process
once and understand what we are trying to do, using our system becomes
very easy, and you can come back as often as you like to get as many
certificates as you like at no cost, and very efficiently.

:: Confidentiality and Privacy Guarantee ::
Your relationship with your CA is one of trust.  In order to do our job
effectively we need to know a considerable amount of information about
you. You may rest assured that we will never, under any circumstances,
voluntarily or willingly disclose that information to any third party. We
regularly receive requests for information from our database. They get
thrown away. That is our guarantee to you. We hold ourselves fully liable
to our customers for the privacy of their personal information. Currently,
the database is held in the USA. Should there ever be a suggestion that
your details might not be safe there we will move our database to another
free nation.  We can envisage no legitimate State interest in your
personal information. We keep no private key information so your security
cannot be compromised through Thawte. So that we can verify your identity
we ask for the following information during this registration process.
These requirements vary by country, but once we have set them they cannot
be changed.
 - Your identification number, passport number, social security number,
driver licence number or tax number, depending on your nationality.
 - Your full name and date of birth.
 - Your employer's name, size and address (if you are employed).
 - Your home address and contact details.
 - Your preferred currency.

We need this information even if you only intend subscribing to the
Freemail program, for which there is no charge.  We realise that some
people will not want to divulge that information, despite our commitment
to protecting your privacy.  While we respect your decision, our
experience has been that a completely open policy leads to a significant
degradation in the quality of requests we receive.  We would rather have a
slightly smaller, serious userbase, than open the doors to the abuse of
our system.

THE FOLLOWING PARAGRAPHS ARE EXTRACTED FROM OUR PRIVACY STATEMENT WHICH WE
ENCOURAGE YOU TO READ IN FULL
(http://www.thawte.com/html/CORPORATE/privacy.html). PLEASE NOTE THAT
OTHER PRODUCTS AND SERVICES MAY INVOLVE ADDITIONAL PRIVACY CONSIDERATIONS.

:: The CPS ::
With respect to Thawte's Public Certification Services, this Privacy
Statement is intended to supplement the Thawte Certification Practice
Statement ("CPS"), not replace it.

:: Information We Gather from You ::
Thawte is asking for the personal information in this Personal Certificate
enrollment process for the limited purposes of creating your Personal
Certificate, providing the services that may be part of your Personal
Certificate, and authenticating your identity in order to issue you a
Personal Certificate. You should also be assured that we do not provide or
sell information about our customers or site visitors to vendors that are
not involved in the provision of Thawte's public certification and other
services.  When you visit our site, our computers may automatically
collect statistics about your visit. This information does not identify
you personally, but rather about a visit to our site. We may monitor
statistics such as how many people visit our site, the user's IP address,
which pages people visit, from which domains our visitors come and which
browsers people use. We use these statistics about your visit for
aggregation purposes only. These statistics are used to help us improve
the performance of our Web site.

:: How We Use and With Whom We Share the Information We Gather ::
We may request information from customers via surveys. Participation in
these surveys is voluntary and will be used for purposes of monitoring or
improving the use of and satisfaction with our Web site We use the
information you submit to contact you to discuss the support, renewal, and
purchase of our products and services. We may also provide the information
you have submitted to us to a Thawte holding company, subsidiary, business
partner, or representative so that the holding company, subsidiary,
business partner, or representative can contact you on behalf of Thawte to
facilitate the support, renewal, and purchase of Thawte products and
services.  Please be assured that any holding company, subsidiary,
business partner, or representative who contacts you for one of these
purposes has agreed to use the information we supply only in accordance
with a confidentiality agreement or, with respect to Personal
Certificates, our CPS. To find out the names and locations of the holding
company, subsidiaries, business partners, and/or representatives to whom
we have provided your information, please contact us at the address listed
at the end of this document. We will also use the information you supply
to form the contents of a Personal Certificate. The exact information that
appears in our different types of Personal Certificates is set forth in
the relevant enrollment page, our CPS, and this Privacy Statement. Please
note that all information that you provide us that forms the content of a
Personal Certificate may be "published." Publication of Personal
Certificates in an accessible location would enable a third party to
access, review, and rely upon your Personal Certificate. You should have
no expectation of privacy regarding the content of your Personal
Certificate. If we are required by law to disclose certain information to
local, state, federal, national or international government or law
enforcement authorities, we will do so.

:: Your Ability to Opt-Out of Further Notifications ::
>From time-to-time, we notify our subscribers of new products,
announcements, upgrades and updates. If you would like to opt-out of being
notified, please contact us at "optout@thawte.com". Please be aware that
we reserve the right to notify our subscribers of any information that
affects the security of our products or services.

:: How You Can Update or Correct Your Information ::
We cannot update or correct information contained in a Personal
Certificate without destroying the integrity of the Personal Certificate
because we digitally sign each subscriber's Personal Certificate as a part
of the Personal Certificate issuance process. If we were to subsequently
modify or remove any information listed in a Personal Certificate, our
digital signature would not verify the Personal Certificate's new content.
Furthermore, if a subscriber (sender) then digitally signed a message with
his or her private key, a third party would not be able to properly verify
the sender's signature (created using the sender's private key) because
the sender's Personal Certificate would have been altered after the key
pair's creation.

If you would like to update or correct any information in our records that
is not contained in your Personal Certificate, please go to
https://www.thawte.com/cgi/personal/general/editinfo.exe.

:: How You Can Revoke (Deactivate) Your Personal Certificate ::
A third party relying on a Personal Certificate may want to know its
status (for example, whether it is valid, suspended (where available) or
revoked). Thawte does not generally delete Personal Certificates (and
their content) from its database because a third party might not then be
able to check its status. You may, however, revoke (deactivate) your
Personal Certificate. A revoked Personal Certificate will still appear in
our database with an indication that it has been revoked. If you are a
Personal Certificate subscriber and would like to have your Personal
Certificate revoked (deactivated) from our database, please visit Thawte's
Personal Certificate manager page at:
https://www.thawte.com/cgi/personal/cert/revoke.exe
and follow the listed instructions.

:: Changes to Thawte's Privacy Statement ::
If a material change is made to the Thawte Privacy Statement
(http://www.thawte.com/html/CORPORATE/privacy.html) and/or the way we use
our customers' personally identifiable information then, with the prior
written approval from TRUSTe, we will post prominent notice of the nature
of such change on the first page of the Privacy Statement

Thawte's International Postal address is:
     P.O. Box 2749
     Durbanville 7551
     South Africa

     US Postal address is:
     Thawte (USA), Inc.
     P.O. Box 17648, Raleigh, NC=
     27619-7648


:: Key Escrow and Government Access to Keys ::
Encryption and digital signatures are the only tools individuals have in
the fight to protect their online privacy. The security of this system is
based on the belief that the individual, and only the individual, has a
copy of the private key used for decryption and signature. However, in an
attempt to snoop on the communications of their citizens and those of
other countries, some governments have suggested that these private keys
should essentially be copied and held by law enforcement officials as
well. This is tantamount to handing over your house keys and the ability
to sign your name on a document.

We view with dismay recent attempts by the USA to mandate key escrow and
recovery. Such rules are both impractical and Orwellian. We strongly
encourage you to take what action you can to make your opinion on this
topic clear and public. Suffice it to say that we do not participate in
any such programs,  and so long as it is at all possible for us to do
business in the international arena without compromising the privacy of
our users that will remain the case.

:: Conditions of Use ::
This is not a test system. If you proceed with your enrollment you are
expected to do so in good faith. An individual submitting false or
fraudulent information will be subject to a personal claim of not less
than US$10,000.00. That individual's employer may also be subject to a
claim of no less than US$100,000.00, if it is proven that the organization
was cognizant of the actions of the individual. Please do not toy with
this service. Please only enroll in the system once. We do not permit
multiple profiles.

:: Certification Practice Statement and Statement of Liability ::
Thawte hereby warrants that it performs checks on each and every
certificate request with due diligence appropriate to the certification
fee. Unlike other Certification Authorities we accept liability for our
services. There does not seem to be any point in a CA that completely
disclaims all liability. For full details on the scope of our warranty, we
encourage you to read our Certification Practice Statement and Schedules.




---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de