LinkedIn password database compromised

Leo Bicknell bicknell at ufp.org
Thu Jun 7 13:58:01 UTC 2012


In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
> Heck no to X.509.  We'd run into the same issue we have right now--a
> select group of companies charging users to prove their identity.

Why?

A user providing the public half of a self-signed certificate is
exactly the same as the user providing the public half of a
self-generated SSH key.

The fact that you can have a trust chain may be useful in some
cases.  For instance, I'm not at all opposed to the idea of the
government having a way to issue me a signed certificate that I
then use to access government services, like submitting my tax
return online, renewing my drivers license, or maybe even e-voting.

The X.509 certificates have an added bonus that they can be used
to secure the transport layer, something that your ssh-key-for-login
proposal can't do.

This is all a UI problem.  If Windows/OSX or Safari/Firefox/Chrome
prompted users to create or import a "user certificate" when first
run, and provided a one-click way to provide it to a form when signing
up there would be a lot more incentive to use that method.  Today pretty
much the only place you see certificates for users is Enterprises with
Microsoft's certificate tools because of the UI problem.

-- 
       Leo Bicknell - bicknell at ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20120607/b39a356b/attachment.sig>


More information about the NANOG mailing list