The Thawte Web of Trust FAQ

This list of Frequently Asked Questions has been compiled from the two Web of Trust discussion groups, and is intended to answer the most common queries asked by new Notaries and WoT members. For clarification or correction, please e-mail.

Go to Thawte's Web of Trust Page   1. Can I sign my PGP key with a Thawte Freemail certificate?
2. Help! I'm a 10-point Notary. What can I do?
3. Digital Signatures are reported as invalid on discussion lists. Why?
[Under Development] 4. I have a question about importing/exporting my Freemail certificate, or about cross-platform compatibility.
[Under Development] 5. I have a security-related question about my certificate and/or its use.

Digital Signatures are reported as invalid on discussion lists. Why?

It is frequently mentioned that when you send a message to a discussion list, and digitally sign it with your Thawte certificate, the signature is reported by your e-mail software as invalid when it arrives from the list server. The same is rarely true of PGP-signed messages.

To understand why this is happening, a quick summary of how digital signatures work with e-mail:

  • S/MIME - when you sign your message with an X.509 certificate using S/MIME (this is how most e-mail software does the job), verification of that signature at the other end is applied to the whole e-mail, including the headers, attachments, etc. Many list servers (especially the free ones) add text to the body of e-mail messages (such as unsubscribe information, even adverts in some cases). Hence, S/MIME verification will always fail.
  • PGP - digital signatures produced by PGP work differently. When you sign an e-mail message using PGP, all the software is doing is signing a block of text in the e-mail body. Any messages added by a list server will be inserted above or below this block and its signature, so the integrity of the signature is not affected. There are rare instances where PGP-signed messages can be altered, specifically where a list server converts an e-mail format (e.g. to/from HTML, changing line wrapping, etc.).

In summary, if you intend to sign an e-mail which is going to a list server, it is better to use PGP than S/MIME. See Question 1 in this FAQ for details of how you can add a Thawte certification to your PGP key.

Note: it may still be valuable for you to sign your messages using S/MIME - although the signature will be invalid, your certificate will be embedded, allowing others to encrypt to you and verify off-list messages.

PGP/GPG Public Key [4096/4096 RSA]
Contact The Minstrel
Web The Minstrel's Showcase