Re: LinkedIn password database compromised

[David Walker <davidianwalker () gmail com>]

On 08/06/2012, Matthew Kaufman <matthew () matthew at> wrote:
> It also allows them to sign anyone they want as someone pretending to be
> you, but with a different key pair.

You're exacly correct but in this case I don't think CAs are necessary
and probably detrimental so it's moot.

Currently I don't care at all if somebody joins YouTube with my name
or whatever and has a password I know nothing about. Well I do care a
little.
The point is that there's nothing sensitive about a username/password
combination for these type of accounts.
We don't care.
I'm sure I've communicated on the internet with President Obama and Johnny Cash.
If there's ever any doubt and something nefarious is going on there
are other methods.

I don't think anyone's suggesting that this is appropriate for
anything sensitive.
In short nothing changes at all other than swapping certificates for passwords.

If my bank wants to start doing it then they'll have to keep doing
what they're doing now and use other channels to verify me at
establishment, i.e. I'll have to walk into a branch and verify myself
and give them a USB stick with my certificate or whatever ...

> Just like the DMV could, if it wanted to (or was ordered to) issue a drivers
> license with my name and DL number but an FBI agent's photo and thumbprint
> associated.
>
> You'd want your logins to be at sites that only trusted CAs that you trusted
> to not do this... for HTTPS we're already way over that line I'm afraid.
>
> Matthew Kaufman
>
> (Sent from my iPhone)
>
> On Jun 7, 2012, at 1:18 PM, Owen DeLong <owen () delong com> wrote:
>
> > A proper CA does not have your business or personal keys, they merely
> > sign them and attest to the fact that they actually represent you. You
> > are
> > free to seek and obtain such validation from any and as many parties as
> > you see fit.
> >
> > At no point should any CA be given your private key data. They merely
> > use their private key to encrypt a hash of your public key and other data
> > to indicate that your private key is bound to your other data.
> >
> > You trust DMV/Passport Agency/etc. to validate your identity in the form
> > of your government issued ID credentials, right?
> >
> > That doesn't give DMV/Passport Agency/etc. control over your face, but,
> > it does allow them to indicate to others that your face is tied to your
> > name, date of birth, etc.
> >
> > Owen
> >
> > On Jun 7, 2012, at 1:04 PM, -Hammer- wrote:
> >
> > > I gotta agree with Aaron here. What would be my motivation to "trust" an
> > > open and public infrastructure? With my business or personal keys?
> > >
> > > -Hammer-
> > >
> > > "I was a normal American nerd"
> > > -Jack Herer
> > >
> > >
> > >
> > > On 6/7/2012 2:37 PM, Aaron C. de Bruyn wrote:
> > > > On Thu, Jun 7, 2012 at 12:24 PM, Owen DeLong<owen () delong com>  wrote:
> > > > > > Heck no to X.509.  We'd run into the same issue we have right now--a
> > > > > > select group of companies charging users to prove their identity.
> > > > > Not if enough of us get behind CACERT.
> > > > Yet again, another org (free or not) that is holding my identity
> > > > hostage.
> > > > Would you give cacert your SSH key and use them to log in to your
> > > > Linux servers?  I'd bet most *nix admins would shout "hell no!"
> > > >
> > > > So why would you make them the gateway for your online identity?
> > > >
> > > > -A