Is identity certificate same as public key?

I’m new to public key infrastructure. I think I understand how public key encryption works, conceptually. So public key is, by definition, public and not a secret. Recently when I came across the term identity certificate and read about it, it sounded very similar to public key of an entity. But, it was not explicitly stated whether they are same or different.

My questions are…

Is identity certificate same as public key? If no, then is identity cert considered a secret?

How are they related?

How to rate a CVSS score for a vulnerability on an identity provider

I’m having difficulty to rate a CVSS for an Identity Provider. Imagine you have a vulnerability where you can bypass an authentication mecanisme.

How would you rate :

  • Confidentiality (C)
  • Integrity (I)
  • Availability (A)

as you don’t how with which system it will be connected ?

The scope is changing, but I can’t just asume the worst scenario, it will just raise the score unnecessarily.

Why ASP.Net Identity sends sensitive information to clients?

As far as I understand, Identity sends to the user an encrypted token with some user information like the user name and expiration date. Then, when a new request arrives to the server, it decrypts it and will have available all the user claims and some other information.

My question is, in case there is no need to send the authetication information to other servers (for example if you are authenticating against another web site) would it be more safe not to send as much information to the user? Perhaps we can just send a large code to the user and then match it with an in memory collection or database.

I know that if someone is able to intercept that code she will be able to also make valid requests, but when the “ticket” expires it will not longer be valid for anyone until making the login process again. However, if that code is compromised there won´t be any other information than that.

I hope I am being clear with my question, if not, please let me know it so I can improve it.

How can I foreshadow the identity of a villain without making it too obvious?

I am currently running a campaign where, in one of the main story arcs, the villain is a rogue(assassin) with the charlatan background. He a very charismatic man who already commands a fair amount of respect and power having lied, cheated, and murdered his way into a position of nobility – his alter ego. In reality he leads an organized crime ring, and has an insatiable thirst for power. Meanwhile the surrounding kingdom has gone to war on a front far from the city in which the villain, and my players, live. The military presence is thin, the guardposts are empty, and the villain is not the sort to look a gift horse in the mouth.

Over the course of the campaign the villain plans to use his crime ring to destabilize the government of the town from which my players conduct their operations. Meanwhile his alter ego will be attempting to win the heart of the people, promising to stabilize the region and keep them safe. In the final stages of his plan he will sell out the criminals he commands, who are oblivious to the connection between his identities, and assume leadership of the region in a populist uprising which the depleted military is unable to prevent. It will be up to my players to keep him from assuming power, or otherwise take him down.

Leading up to the end-game big reveal I want to drop in a few clues that the “noble” is not what he seems. The clues should not be so heavy-handed as to give away the villain’s plot on their own, but should hint to my players that something is amiss, and is probably worth investigating. I don’t want to let things spiral out of control without giving my players the opportunity to stop it. How can I foreshadow the villain’s true identity given this context?

Google’s “Cross-client identity” seems unsafe

From Google’s Cross-client identity document:

Cross-client access tokens


The effect is that if an Android app requests an access token for a particular scope, and the requesting user has already granted approval to a web application in the same project for that same scope, the user will not be asked once again to approve. […]

This seems unsafe. The server-side app is able to do a more secure form of OAuth authorization, because it can protect its client secret. An Android app’s OAuth flow is less safe, since an attacker can always decompile the binary and steal any embedded tokens.

This is the scenario I’m worried about:

  1. I register two client IDs, one for my server-side web app and one for my Android app.
  2. User X authorizes my server-side app.
  3. An attacker steals the Android app’s OAuth-related tokens.
  4. The attacker sends user X through the OAuth flow using the stolen tokens, and Google doesn’t ask for approval.
  5. The attacker now has an access token to user X’s account.

Am I misunderstanding something here?

What’s a quick test to see if an $n \times n$ matrix is diagonal and/or proporitional to the identity matrix?

As the title indicates, I want to test whether an $ n \times n$ matrix (numeric, symbolic,..) is diagonal and/or proportional to the $ n \times n$ identity matrix. I, of course, can test whether the $ n^2-n$ individual off-diagonal entries are zero–but that’s, it would seem, is inefficient.

How did a website make an accurate assumption of my identity in incognito mode? [duplicate]

What piece of information can websites retrieve that would allow for later identification without cookies?

Intro Out of interest I jumped into the rabbit hole of online marketing scams. The site I visited* used a system called Proof** to show ‘conversions’ (cq. signups) to visitors and I was curious if this system could be fooled, since the traffic I witnessed seemed way too high.

Case The Proof homepage made an assumption about my identity even though I visited all these sites whilst in incognito mode. The assumption was pretty accurate: it assumed my identity was the company someone I share my WiFi with works for. Both on desktop as on mobile it printed:

Easily personalize Companyname website for every visitor. 

It even came up with the correct domain name,
It did however fail on Tor, and printed the generic message:

Easily personalize your website for every visitor. 

Question How could this site that I’ve never visited assume my identity almost correctly whilst without cookies?
1. I am aware of the possibility that this site gathers data through many other (junk) sites about things like browser use, screen size, device use, and location. However, this information alone is very generic (chrome, desktop) to make a prediction. In addition, I live in a densely populated area and this company does not the biggest employer of the area.
2. This prediction was just a lucky shot.

What piece of information can websites track that would allow for identification without cookies?

Thanks for reading!


EDIT: It was not my purpose to hide my identity, I am just curious on what data they could make this estimation. The incognito part is just interesting because it doesn’t allow for cookie-based predictions.

Everyone’s pointing at IP, so I believe my misconception (through sites like IP-lookup & rDNS that are 100 miles off) was that IP was not that specific.