

SplashID crypto fail - cperciva
http://www.bluebottle.net.au/blog/2010/splashid-sucks

======
ivan_ah
FAIL indeed... watch it unfold: <http://search.twitter.com/search?q=splashid>

On that note, I am sure a lot of you use ssh keys. Do you password protect
them? What about keys used for automated server administration tasks? Surely
you can't password protect those. (Do you see the init process typing in a
password? ;)

I think USER-CENTRIC KEY MANAGEMENT will be a big trend in the coming years.
Not just for key management, but for login to any web service.

Imagine a future where all the "social network" does is transfer opaque
encrypted packets from one place to another. The User, with his "keychain"
(held on his machine) can browse the "social network" from anywhere and
decrypt the messages intended for him.

Using current technology it would be quite inefficient: sharing a new photo
would mean encrypting a copy for each of my friends thus transferring an order
of magnitude more traffic. Perhaps new crypto is needed? Maybe we use AES for
the data and send an auxiliary crypto header with 100 copies of the AES key
encrypted for each of the 100 friends you wanted to share the picture with.

Research plug: Stefan Brands has invented a very cool upgrade to the basic
public-key signature schemes. His protocols allow for "partial disclosure" of
only certain parts of a certificate signed by a third party. (unlike the
current sertif. schemes in which I have to show you my entire certificate
cleartext so you can hash to check the signature)

He has a free book on the theory:
<http://www.credentica.com/the_mit_pressbook.html>

His company Credentica was acquired by Microsoft and I think he is leading the
team there to make this idea practical.

~~~
tptacek
You can/should use SSH agent forwarding to handle automated administration
stuff.

------
oomkiller
A HUGE sign of incompetence is if a company tries to "hide" the way their
algorithms work. If they don't know enough about crypto and security to know
that this is pointless, they CERTAINLY don't know enough to write secure
software.

------
cliff
Use KeePass + DropBox or a network share. That's what my company does. KeePass
is really solid software.

<http://keepass.info/>

~~~
wwortiz
In this sense does anyone know if KeePassX is any good?

I'm interested in password storage but I have both windows and linux machines.

~~~
alexkay
I've been using it for the past 2 years on a Linux box, it's rock-solid and
format-compatible with KeePass 1.x

~~~
SamReidHughes
For extra safety, go to the database settings and tell it use 2148000000
rounds for the master password.

------
ebtalley
egad

