[153513] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Jun 7 18:01:26 2012
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AC7478EE-7B21-46F9-AC8A-473FF46B9AEC@matthew.at>
Date: Thu, 7 Jun 2012 15:00:03 -0700
To: Matthew Kaufman <matthew@matthew.at>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
No argument about that at all.
Owen
On Jun 7, 2012, at 2:26 PM, Matthew Kaufman wrote:
> It also allows them to sign anyone they want as someone pretending to =
be you, but with a different key pair.
>=20
> Just like the DMV could, if it wanted to (or was ordered to) issue a =
drivers license with my name and DL number but an FBI agent's photo and =
thumbprint associated.
>=20
> You'd want your logins to be at sites that only trusted CAs that you =
trusted to not do this... for HTTPS we're already way over that line I'm =
afraid.
>=20
> Matthew Kaufman
>=20
> (Sent from my iPhone)
>=20
> On Jun 7, 2012, at 1:18 PM, Owen DeLong <owen@delong.com> wrote:
>=20
>> A proper CA does not have your business or personal keys, they merely
>> sign them and attest to the fact that they actually represent you. =
You are
>> free to seek and obtain such validation from any and as many parties =
as
>> you see fit.
>>=20
>> At no point should any CA be given your private key data. They merely
>> use their private key to encrypt a hash of your public key and other =
data
>> to indicate that your private key is bound to your other data.
>>=20
>> You trust DMV/Passport Agency/etc. to validate your identity in the =
form
>> of your government issued ID credentials, right?
>>=20
>> That doesn't give DMV/Passport Agency/etc. control over your face, =
but,
>> it does allow them to indicate to others that your face is tied to =
your
>> name, date of birth, etc.
>>=20
>> Owen
>>=20
>> On Jun 7, 2012, at 1:04 PM, -Hammer- wrote:
>>=20
>>> I gotta agree with Aaron here. What would be my motivation to =
"trust" an open and public infrastructure? With my business or personal =
keys?
>>>=20
>>> -Hammer-
>>>=20
>>> "I was a normal American nerd"
>>> -Jack Herer
>>>=20
>>>=20
>>>=20
>>> On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote:
>>>> On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong<owen@delong.com> =
wrote:
>>>>>> Heck no to X.509. We'd run into the same issue we have right =
now--a
>>>>>> select group of companies charging users to prove their identity.
>>>>> Not if enough of us get behind CACERT.
>>>> Yet again, another org (free or not) that is holding my identity =
hostage.
>>>> Would you give cacert your SSH key and use them to log in to your
>>>> Linux servers? I'd bet most *nix admins would shout "hell no!"
>>>>=20
>>>> So why would you make them the gateway for your online identity?
>>>>=20
>>>> -A
>>>>=20
>>>>=20
>>=20
>>=20
