[153996] in North American Network Operators' Group
Re: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Wed Jun 20 18:29:00 2012
Date: Wed, 20 Jun 2012 15:28:02 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: "nanog@nanog.org" <nanog@nanog.org>
Mail-Followup-To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <4FE24682.9040408@matthew.at>
<CAEE+rGpcuV4sm-CVZ5rLiNTRZaY2HkVOrq=+8vxFo0tO-ROBvg@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Wed, Jun 20, 2012 at 03:05:17PM -0700, Aaron C. de =
Bruyn wrote:
> You're right. Multiple accounts is unpossible in every way except
> prompting for usernames and passwords in the way we do it now.
> The whole ssh-having-multiple-identities thing is a concept that could
> never be applied in the browser in any sort of user-friendly way.
> </sarcasm>
Aw come on guys, that's really not hard, and code is already in the
browsers to do it.
If you have SSL client certs and go to a web site which accepts
multiple domains you get a prompt, "Would you like to use identity
A or identity B." Power users could create more than one identity
(just like more than one SSH key). Browsers could even generate
them behind the scenes for the user "create new account at foo.com"
tells the browser to generate "bicknell@foo.com" and submit it. If
I want another a quick trip to the menu creates "superman@foo.com"
and saves it. When I go to log back in the web site would say "send
me your @foo.com" signed info.
Seriously, not that hard to do and make seemless for the user; it's all
UI work, and a very small amount of protocol (HTTP header probably)
update.
In a message written on Wed, Jun 20, 2012 at 02:54:10PM -0700, Matthew Kauf=
man wrote:
> Yes. Those users who have a single computer with a single browser. For=20
> anyone with a computer *and* a smartphone, however, there's a huge=20
> missing piece. And it gets exponentially worse as the number of devices=
=20
> multiplies.
Yeah, and no one has that problem with a password.
Ok, that was overly snarky. However people have the same issue
with passwords today. iCloud to sync them. Dropbox and 1Password.
GoodNet. Syncing certs is no worse than syncing passwords.
None of you have hit on the actual down side. You can't (easily) log in
from your friends computer, or a computer at the library due to lack of
key material. I can think of at least four or five solutions, but
that's the only "hard" problem here.
This has always failed in the past because SSL certs have been tied to
_Identity_ (show me your drivers license to get one). SSH keys are NOT,
you create them at will, which is why they work. You could basically
coopt SSL client certs to do this with nearly zero code provided people
were willing to give up on the identity part of X.509, which is
basically worthless anyway.
--=20
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQIVAwUBT+JOcrN3O8aJIdTMAQK2pA/9FwpTSsJiU/hWvvN/3tTUUToi+KQMCBEs
fPPPVoa49M/tsbZeLVRdHV+IwOQ9O8zPDgWJPpyDHoSCyBzb+tYr+1UiNOJp70gH
9chhzLlLBt0qRFUe+D8Kr5KS0yE3k3sCLsfESQKda+JZJy++p40BJOpp5RVTX6tI
a0IgXDt+SjqqASKm365T3vF7DpQSfX3Xh5NIPgBXNCl/UPlD7tpNHIaqfm0lv45x
la4U29S0YT6ysfOHjFix5ABQ71OlXh7E/Zz/qkMd4bwQsL4bPpQx3krNvG99pDLC
7TCZRYNZABW8L7U8/+ioAVF/fkDCmprxoiPEG/OMn+LbDp6bCsJKypYsFzTh1CHl
x2dFmrtCYBqEPy8oHp2I+zXrcTN/PilqSOF3kJcJbGfzAwA35h4uExOXLLygZSaP
FPBQMfxcx2a0gh5CKFAMFmQ+Dgf8tYHZWeP7q0QKofohwgCT1DAXGwdrEICSIwU1
FKqIk/Hyo5M3GSFeYMV9Ul95r7z3OkAb0OvosDcNW3/NiasfR9cOB29cBXODw/Ty
GUfBGxmvzG2CsTC0E2srWPY80FYytl6+UpJfxxsyxiLPoJ3ZqAnv+wj51yVjLQZv
weClRbZTCdyni6nEydmI0oF6N6T2ejT5X+eBD6y4x6kkqpQoePpHkeCeVinw4A9u
b00P6RGO3vM=
=rKfv
-----END PGP SIGNATURE-----
--opJtzjQTFsWo+cga--
