Re: LinkedIn password database compromised

[Leo Bicknell <bicknell () ufp org>]

In a message written on Wed, Jun 06, 2012 at 11:14:58PM -0700, Aaron C. de Bruyn wrote:
> Heck no to X.509.  We'd run into the same issue we have right now--a
> select group of companies charging users to prove their identity.

Why?

A user providing the public half of a self-signed certificate is
exactly the same as the user providing the public half of a
self-generated SSH key.

The fact that you can have a trust chain may be useful in some
cases.  For instance, I'm not at all opposed to the idea of the
government having a way to issue me a signed certificate that I
then use to access government services, like submitting my tax
return online, renewing my drivers license, or maybe even e-voting.

The X.509 certificates have an added bonus that they can be used
to secure the transport layer, something that your ssh-key-for-login
proposal can't do.

This is all a UI problem.  If Windows/OSX or Safari/Firefox/Chrome
prompted users to create or import a "user certificate" when first
run, and provided a one-click way to provide it to a form when signing
up there would be a lot more incentive to use that method.  Today pretty
much the only place you see certificates for users is Enterprises with
Microsoft's certificate tools because of the UI problem.

-- 
       Leo Bicknell - bicknell () ufp org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Attachment: _bin
Description: