The Added Value


Going the easiest way is sometimes, well….easy…But is it always the best way to go? Most likely not! Since setting up the StartSSL™ Web-Of-Trust Network the community surrounding this project has seen little growth and seems to be going a rocky road. Why’s that and how does this Web-Of-Trust (WoT) compare to others?

Generally speaking, a Web-of-Trust is a loose network of people validating each others identity or other things, like public keys a member might have. The groups surrounding holders of PGP keys are perhaps the most commonly known, with some certification authorities also maintaining such networks, which in turn issues digital certificates based on validations performed by members of that network. All of them believe that vetting by other members of the group increases the trust in the validated member, the more confirmations the better.

So what’s the difference between the ones mentioned above and the StartSSL™ WoT? First of all there is a major difference between PGP webs and those operated by certification authorities (CA), because PGP keys are not commonly used to secure web sites, but only for documents and email messages. Certification authorities on the other hand can issue server certificates for web sites, however only some of them do that and limit the issuance to client certificates only.

StartCom, which operates the StartSSL™ WoT, already issues basic server and client certificates for free as part of its commercial operations. These certificates provide a low-assurance level because they are domain, respectively email validated only and therefore don’t confirm the subscribers identity. But nevertheless this type of certification is excellent for the intended purpose where identity or organization validation isn’t needed. And with that, StartCom already serves the Internet community in its best, since anybody can obtain the perfectly valid SSL certificates without any costs and efforts. This might be one of the major reasons why many would view the  StartSSL™ WoT as superfluous and unneeded.

Another reason might be the fact that the StartSSL™ WoT policy requires its members wishing to achieve notary status, to have their identity validated through StartCom’s higher Class 2 validation procedures. These validations are not free and carry a fee (currently US$ 25). In addition to that, WoT notaries must perform an online-test before the notary status is confirmed. Apparently this seems to be a hurdle for some, as a recent email I’ve received might indicate:

I’m already a notary for this and that WOT and I would  assist StartSSL as well. But I don’t want to pay for a Class2 cert! I would invest time of a higher value, but I don’t want to pay money!
If it would be possible to become StartSSL notary without costs, I would do it. Otherwise it sounds to me like another sales concept to sell your certificates.

So here we have it, the StartSSL™ WoT is just another money making scheme! How does this selfish and greedy Israeli company dare to make such requirements and even charge money for it?!

First of all, I’d say that StartCom has long time ago proven its commitment to the Internet community by making digital certification available to the masses for free. It provides completely valid client and server certificates for years! StartCom is unique in that respect as it is the only CA which has its root certificates included in many browsers and other software and the only CA having done so over time!

StartCom applies a reasonable fee for validations it performs and doesn’t charge for certificates themselves. This means, that issuance of certificates aren’t limited and fees are not applied on a per certificate basis. More than that, the fees for these validations are the cheapest by far in this industry and only cover the associated costs!

StartCom decided that it wants to build a better Web-of-Trust, one upon others can rely on, by imposing certain conditions and requirements for notaries. Also in the real (non-virtual) world, notaries have to learn their job, undergo exams and obtain a license. StartSSL™ notaries have similar requirements and with it provide a real added value to the validated users and the relying parties, in comparison to other trust networks.

If you also believe in the goals StartCom set itself and you are interested in participating, check out the various ways you can contribute. Today you can also win an eToken by participating in a small competition for notaries. And as StartCom continues to slowly grow this network, notaries might be approached by StartCom in the future to perform other verifications and tasks in their respective countries and regions on a per-contract basis. This is just a small hint why the StartSSL™ WoT might be useful for StartCom itself, which allows it to hire qualified personalities for its own needs.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
Randomly Broken Randomness
Impact of Cyber Risk

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

At one point in my career I was involved in computer security for what is now one of the big 5 accounting firms. After that experience, the WOT approach made a lot of sense to me. Its based on trust, not how much money your willing to spend to CYA.
I will stay in touch. I had high hopes for the folks at cacert.org.

It is a great idea and hopefully more people will get into this.

Maybe you should do more advertising, Eddy? Nobody here knows about StartCom in Germany except me.

I will have a vacation in the deep woods of the Nordic part of Germany soon. Await my photographs and watch my blog. :)

You aren’t alone in Germany - another few thousand use StartCom Certs there and we enjoy a relative high market share, specially in your country. Market penetration may happen without any advertisement, instead YOU are the best “advertisement board” by far out there! No matter how much money is invested into campaigns, a satisfied user/customer/friend is irreplaceable.

Have a nice vacation!

Being currently unemployed, the US$25 fee is a bit of a trial for me, as well. How long does the fee last? Once a notary, always a notary? Or is it an annual thing?

Is there any sort of ‘transitive trust’ mechanism that can substitute for the monetary fee? I.e., a voucher from someone?

If the fee is a one-time thing, and is to cover actual verification costs, I can probably arrange to budget for it..