LinkedIn password database compromised

Owen DeLong owen at delong.com
Thu Jun 7 22:00:03 UTC 2012


No argument about that at all.

Owen

On Jun 7, 2012, at 2:26 PM, Matthew Kaufman wrote:

> It also allows them to sign anyone they want as someone pretending to be you, but with a different key pair.
> 
> Just like the DMV could, if it wanted to (or was ordered to) issue a drivers license with my name and DL number but an FBI agent's photo and thumbprint associated.
> 
> You'd want your logins to be at sites that only trusted CAs that you trusted to not do this... for HTTPS we're already way over that line I'm afraid.
> 
> Matthew Kaufman
> 
> (Sent from my iPhone)
> 
> On Jun 7, 2012, at 1:18 PM, Owen DeLong <owen at delong.com> wrote:
> 
>> A proper CA does not have your business or personal keys, they merely
>> sign them and attest to the fact that they actually represent you. You are
>> free to seek and obtain such validation from any and as many parties as
>> you see fit.
>> 
>> At no point should any CA be given your private key data. They merely
>> use their private key to encrypt a hash of your public key and other data
>> to indicate that your private key is bound to your other data.
>> 
>> You trust DMV/Passport Agency/etc. to validate your identity in the form
>> of your government issued ID credentials, right?
>> 
>> That doesn't give DMV/Passport Agency/etc. control over your face, but,
>> it does allow them to indicate to others that your face is tied to your
>> name, date of birth, etc.
>> 
>> Owen
>> 
>> On Jun 7, 2012, at 1:04 PM, -Hammer- wrote:
>> 
>>> I gotta agree with Aaron here. What would be my motivation to "trust" an open and public infrastructure? With my business or personal keys?
>>> 
>>> -Hammer-
>>> 
>>> "I was a normal American nerd"
>>> -Jack Herer
>>> 
>>> 
>>> 
>>> On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote:
>>>> On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong<owen at delong.com>  wrote:
>>>>>> Heck no to X.509.  We'd run into the same issue we have right now--a
>>>>>> select group of companies charging users to prove their identity.
>>>>> Not if enough of us get behind CACERT.
>>>> Yet again, another org (free or not) that is holding my identity hostage.
>>>> Would you give cacert your SSH key and use them to log in to your
>>>> Linux servers?  I'd bet most *nix admins would shout "hell no!"
>>>> 
>>>> So why would you make them the gateway for your online identity?
>>>> 
>>>> -A
>>>> 
>>>> 
>> 
>> 





More information about the NANOG mailing list