=> Re: "Is that's safe to use same identity certificate for..." | In: s/Gemini
@stack Never Windows! XD Although it does illustrate the case in which a device is lost or stolen and you want to ensure they certificate is no longer used. I cannot think of any other reason it would be useful.
Jan 12 ยท 7 days ago
=> ๐ stack ยท Jan 12 at 23:55:
@argenkiwi, still. If you had the same certificate on another (linux) machine, how would it be different? You would log in with the same compromised certificate and install a new one, if the opponent hadn't beaten you and locked you out.
With a different certificate you would also log in and revoke the bad certf if the opponent hadn't beaten you to it and locked you out.
I can't see the advantage.
=> ๐ stack ยท Jan 12 at 23:59:
and if there is no opponent, does it matter, except with one certif you have nothing to do, but with two, you still have to revoke the lost one since you no longer have the private key...
=> ๐ฟ argenkiwi ยท Jan 12 at 23:59:
@stack, I understand. It is not bulletproof. Only if you act fast and remove the certificate from the account before the attacker uses it you would be safe. If the alternative is to have only one, wouldn't you still have to be quick enough to create a new certificate, add it and revoke the compromised one in order to save the account?
=> ๐ stack ยท Jan 13 at 00:03:
Oh, I see. Yes it will cost you the time to create a new certif, login, revoke the old certif and install the new certif, vs. logging in and just revoking the old one. If you can still get in.
It is a small win.
=> ๐ฟ argenkiwi ยท Jan 13 at 00:17:
Yeah, not a great improvement, but if it is something you would still need to do, you may as well do it in advanced. The measures you take to protect the certificates are what will make a more significant difference overall.
Thanks for the discussion @stack, I've only started to get my head around indentities in the context of Gemini and it has given me a better mental picture of what is achievable and what isn't.
=> ๐ stack ยท Jan 13 at 00:33:
@argenkiwi: for me the big realization was that, as a game/service provider, I can very easily keep track of users via certificates, with full encryption and totally authenticated (put not necesserily identified).
With the web, I would have to generate a session key and make sure it is sent back and forth without being forged.
It's great for games, as authentic identities of users are not important, but I have a guarantee that if I see a certificate I've seen before, it's the same user.
=> ๐ธ HanzBrix ยท Jan 13 at 07:24:
We also need to keep in mind, at least when we are talking security wise, I have never actually heard of anyone who has gotten their cert/keys stolen.
It happens on servers, sure, but they are always online and running software that can have a myriad of vulnerabilities.
People forget that the access required to steal a cert/key, means you already have an attacker on your local system. At which point your cert/key is the least of your problems.
Is that's safe to use same identity certificate for different services? Usually, asymmetric encryption means I share data signed with own private key + remote public key. Don't remember where exactly but saw the recommendation to use different certs for different hosts in Geminispace. Maybe that's because of privacy reasons only..
=> ๐ฌ ps ยท 17 comments ยท Jan 12 ยท 7 days ago This content has been proxied by September (ba2dc).Proxy Information
text/gemini; charset=utf-8