[153473] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Thu Jun 7 09:59:21 2012
Date: Thu, 7 Jun 2012 06:58:01 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: Nanog <nanog@nanog.org>
Mail-Followup-To: Nanog <nanog@nanog.org>
In-Reply-To: <CAEE+rGq3bmL=aTW0ZQpybsircnNbLzVpvuAm5diLcoa2yFfWYg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--mP3DRpeJDSE+ciuQ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de =
Bruyn wrote:
> Heck no to X.509. We'd run into the same issue we have right now--a
> select group of companies charging users to prove their identity.
Why?
A user providing the public half of a self-signed certificate is
exactly the same as the user providing the public half of a
self-generated SSH key.
The fact that you can have a trust chain may be useful in some
cases. For instance, I'm not at all opposed to the idea of the
government having a way to issue me a signed certificate that I
then use to access government services, like submitting my tax
return online, renewing my drivers license, or maybe even e-voting.
The X.509 certificates have an added bonus that they can be used
to secure the transport layer, something that your ssh-key-for-login
proposal can't do.
This is all a UI problem. If Windows/OSX or Safari/Firefox/Chrome
prompted users to create or import a "user certificate" when first
run, and provided a one-click way to provide it to a form when signing
up there would be a lot more incentive to use that method. Today pretty
much the only place you see certificates for users is Enterprises with
Microsoft's certificate tools because of the UI problem.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--mP3DRpeJDSE+ciuQ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT9CzabN3O8aJIdTMAQLHBQ/+PFpUiwdIlUopVLwe233NV1f2C+cWEaDe
oiLEs1OABifHDXQW+3QzqqTiTogIxvZ//h7Fr/BSp5NK6pnXuETwW0Bd88APsy8i
KTKIemggpqQ/NYctghUJ81lZf7g4gHnFIX2Z5ONTHMBs5CkIpHIvR/sGCKwJ9l7n
zw6DbTws3yiWWzBiSykn32dPYLKO9cHY0/lPhHWmc8B8sRgJ/N8Gmn8RIqxVWmk3
g3lrIoIcHLETvq1zmdSsy+PdJmdo3m2KjA/jAKfeNZ/nJrAcTXfK4+9yBrZyS1sd
wVSjt6Exk71NLMo3Nbzl3KKioRvv8rOpwV+CjFO/QWq1gn5xm+XBfAQFDAmmWv6O
ID5C30Y4p4BTVcnqn9JhDCjDWCbmG0oZT5NJMdCB3Uw3J61OxmaMvSvxvzEkVLl1
+Lb2OcPPbqLtQIvZGatGpLdH/9U2dVyTEWbR6PmptrFf/QUu8rR26QiKl7Fxy4Z/
hLspvXylejVLPddeZYiCJDwKcEtaXkzRSoHJlAlB/B1t1dQ0vrn0VmMOO3zqO2Ok
o1tFVsQhzZStHcqdTwFhTCf2pznFSX7y2f80iQT4VlrFhxjQXbM06Ygs3snLtJUA
E0vxRoQerh7Dmw2E87Y8+lIEr9UvyR1LKXnuq2apcOUXjEUQWFRQ9lvFYxCqyb4T
FBpv0wgfkzM=
=3cC3
-----END PGP SIGNATURE-----
--mP3DRpeJDSE+ciuQ--
