[153508] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Matthew Kaufman)
Thu Jun 7 17:27:48 2012
In-Reply-To: <844C316A-4535-4D18-A112-59AE47398636@delong.com>
From: Matthew Kaufman <matthew@matthew.at>
Date: Thu, 7 Jun 2012 14:26:45 -0700
To: Owen DeLong <owen@delong.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
It also allows them to sign anyone they want as someone pretending to be you=
, but with a different key pair.
Just like the DMV could, if it wanted to (or was ordered to) issue a drivers=
license with my name and DL number but an FBI agent's photo and thumbprint a=
ssociated.
You'd want your logins to be at sites that only trusted CAs that you trusted=
to not do this... for HTTPS we're already way over that line I'm afraid.
Matthew Kaufman
(Sent from my iPhone)
On Jun 7, 2012, at 1:18 PM, Owen DeLong <owen@delong.com> wrote:
> A proper CA does not have your business or personal keys, they merely
> sign them and attest to the fact that they actually represent you. You are=
> free to seek and obtain such validation from any and as many parties as
> you see fit.
>=20
> At no point should any CA be given your private key data. They merely
> use their private key to encrypt a hash of your public key and other data
> to indicate that your private key is bound to your other data.
>=20
> You trust DMV/Passport Agency/etc. to validate your identity in the form
> of your government issued ID credentials, right?
>=20
> That doesn't give DMV/Passport Agency/etc. control over your face, but,
> it does allow them to indicate to others that your face is tied to your
> name, date of birth, etc.
>=20
> Owen
>=20
> On Jun 7, 2012, at 1:04 PM, -Hammer- wrote:
>=20
>> I gotta agree with Aaron here. What would be my motivation to "trust" an o=
pen and public infrastructure? With my business or personal keys?
>>=20
>> -Hammer-
>>=20
>> "I was a normal American nerd"
>> -Jack Herer
>>=20
>>=20
>>=20
>> On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote:
>>> On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong<owen@delong.com> wrote:
>>>>> Heck no to X.509. We'd run into the same issue we have right now--a
>>>>> select group of companies charging users to prove their identity.
>>>> Not if enough of us get behind CACERT.
>>> Yet again, another org (free or not) that is holding my identity hostage=
.
>>> Would you give cacert your SSH key and use them to log in to your
>>> Linux servers? I'd bet most *nix admins would shout "hell no!"
>>>=20
>>> So why would you make them the gateway for your online identity?
>>>=20
>>> -A
>>>=20
>>>=20
>=20
>=20
