LinkedIn password database compromised

Aaron C. de Bruyn aaron at heyaaron.com
Thu Jun 7 06:14:58 UTC 2012


On Wed, Jun 6, 2012 at 8:34 PM, Jimmy Hess <mysidia at gmail.com> wrote:
> Which digital id architecture should web sites implement, and what's
> going to make them  all agree on one SSO system   and move from the
> current state to one of the possible solutions though?  :)
>
>        A TLS + Client-Side X.509 Certificate  for every user.

Heck no to X.509.  We'd run into the same issue we have right now--a
select group of companies charging users to prove their identity.

> [insert a thousand of the other  slightly more obscure Multi-website
> Single-Login systems]

SSH does a good job of avoiding the pitfalls that most of those other
products have.
Active Directory has costs associated with it.
OpenID requires setting up your own server or using a third party.
Facebook and Google have their own auth systems, but quite a few
people are worried about how much they track you.
And the only time I use a Windows Live account is when I set one up
for a client who needs access to their volume licensing site.

Imaging signing up for a site by putting in your email and pasting
your public key.

No third party verifying and certifying who you are like with SSL
certs and charging you for the privilege (plain 'ol username/password
logins don't give you any verification either--linkedin has no clue
who I really am) just a key exchange from the user and server proving
that you've both seen each other before.

-A




More information about the NANOG mailing list