[154070] in North American Network Operators' Group
RE: LinkedIn password database compromised
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Jun 23 20:53:12 2012
Date: Sat, 23 Jun 2012 18:52:10 -0600
In-Reply-To: <20120620213914.GA20633@ussenterprise.ufp.org>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "Leo Bicknell" <bicknell@ufp.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Leo,
This will never work. The "vested profiteers" will all get together and ma=
ke it a condition that in order to use this method the user has to have "pu=
rchased" a "verified" key from them. Every site will use different profite=
ers (probably whoever gives them the biggest kickback). You will end up pa=
ying thousands of dollars a year (as a user) to buy multiple keys from the =
profiteers, and provide them all sorts of private information in the proces=
s. They will then also insist that web sites using this method provide "tr=
acking" information on key usage back to the profiteers. The profiteers wi=
ll then sell all this information to whomever they want, for whatever purpo=
se, so long as it results in a profit. Some of this will get kicked back t=
o participating web sites. Then there will be "affiliate programs" where a=
ny web site can "sign up" with the profiteers to "silently" do key exchange=
s without the users consent so that more tracking information can be collec=
ted, for which the participating affiliate web site will get a kickback. B=
rowser vendors will "assist" by making the whole process transparent. Cont=
racts in restraint of trade will be enforced by the profiteers to prevent a=
ny browser from using the "method" unless it is completely invisible to the=
user.
Then (in the US) the fascist government will step in and require "registrat=
ion" of issued keys along with the verified real-world identity linkage.
If it does not use self-generated unsigned keys, it will never fly.
---
() ascii ribbon campaign against html e-mail
/\ www.asciiribbon.org
> -----Original Message-----
> From: Leo Bicknell [mailto:bicknell@ufp.org]
> Sent: Wednesday, 20 June, 2012 15:39
> To: nanog@nanog.org
> Subject: Re: LinkedIn password database compromised
>
> In a message written on Wed, Jun 20, 2012 at 02:19:15PM -0700, Leo Vegoda
> wrote:
> > Key management: doing it right is hard and probably beyond most end use=
rs.
>
> I could not be in more violent disagreement.
>
> First time a user goes to sign up on a web page, the browser should
> detect it wants a key uploaded and do a simple wizard.
>
> - Would you like to create an online identity for logging into web
> sites? Yes, No, Import
>
> User says yes, it creates a key, asking for an e-mail address to
> identify it. Import to drag it in from some other program/format,
> No and you can't sign up.
>
> Browser now says "would you like to sign up for website 'foobar.com'",
> and if the user says "yes" it submits their public key including the
> e-mail they are going to use to log on. User doesn't even fill out
> a form at all.
>
> Web site still does the usual e-mail the user, click this link to verify
> you want to sign up thing.
>
> User goes back to web site later, browser detects "auth needed" and
> "public key foo" accepted, presents the cert, and the user is logged in.
>
> Notice that these steps _remove_ the user filling out forms to sign up
> for simple web sites, and filling out forms to log in. Anyone who's
> used cert-based auth at work is already familiar, the web site
> "magically" knows you. This is MUCH more user friendly.
>
> So the big magic here is the user has to click on "yes" to create a key
> and type in an e-mail once. That's it. There's no web of trust. No
> identity verification (a-la ssl). I'm talking a very SSH like system,
> but with more polish.
>
> Users would find it much more convenient and wonder why we ever used
> passwords, I think...
>
> --
> Leo Bicknell - bicknell@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
