Comment by 🚀 stack

=> Re: "Is that's safe to use same identity certificate for..." | In: s/Gemini

and if there is no opponent, does it matter, except with one certif you have nothing to do, but with two, you still have to revoke the lost one since you no longer have the private key...

=> 🚀 stack

Jan 12 · 7 days ago

5 Later Comments ↓

=> 🗿 argenkiwi · Jan 12 at 23:59:

@stack, I understand. It is not bulletproof. Only if you act fast and remove the certificate from the account before the attacker uses it you would be safe. If the alternative is to have only one, wouldn't you still have to be quick enough to create a new certificate, add it and revoke the compromised one in order to save the account?

=> 🚀 stack · Jan 13 at 00:03:

Oh, I see. Yes it will cost you the time to create a new certif, login, revoke the old certif and install the new certif, vs. logging in and just revoking the old one. If you can still get in.

It is a small win.

=> 🗿 argenkiwi · Jan 13 at 00:17:

Yeah, not a great improvement, but if it is something you would still need to do, you may as well do it in advanced. The measures you take to protect the certificates are what will make a more significant difference overall.

Thanks for the discussion @stack, I've only started to get my head around indentities in the context of Gemini and it has given me a better mental picture of what is achievable and what isn't.

=> 🚀 stack · Jan 13 at 00:33:

@argenkiwi: for me the big realization was that, as a game/service provider, I can very easily keep track of users via certificates, with full encryption and totally authenticated (put not necesserily identified).

With the web, I would have to generate a session key and make sure it is sent back and forth without being forged.

It's great for games, as authentic identities of users are not important, but I have a guarantee that if I see a certificate I've seen before, it's the same user.

=> 🐸 HanzBrix · Jan 13 at 07:24:

We also need to keep in mind, at least when we are talking security wise, I have never actually heard of anyone who has gotten their cert/keys stolen.

It happens on servers, sure, but they are always online and running software that can have a myriad of vulnerabilities.

People forget that the access required to steal a cert/key, means you already have an attacker on your local system. At which point your cert/key is the least of your problems.

Original Post

=> 🌒 s/Gemini

Is that's safe to use same identity certificate for different services? Usually, asymmetric encryption means I share data signed with own private key + remote public key. Don't remember where exactly but saw the recommendation to use different certs for different hosts in Geminispace. Maybe that's because of privacy reasons only..

=> 💬 ps · 17 comments · Jan 12 · 7 days ago