Comment by kleiba
1 month ago
For someone who hasn't spent any time thinking about that matter, could you please elaborate your point?
1 month ago
For someone who hasn't spent any time thinking about that matter, could you please elaborate your point?
"Passkeys are incompatible with open-source software" https://www.smokingonabike.com/2025/01/04/passkey-marketing-...
Then how come KeePassXC has them?
The linked blog post explains it. The spec can be implemented by open source software, but the upcoming (or now current?) update to the spec enables attestation, that is, it allows the auth provider to cryptographically verify which implementation the client is using. Under this scheme, auth providers can simply choose to no longer support open source implementations like KeePassXC, and since the spec authors have already claimed that KeePassXC is "non-compliant" because it doesn't ask for a PIN on every auth request, it seems likely that that would happen.
8 replies →
Imagine using ssh-keygen, but it locks the private key in a vendor-managed secure enclave. You can't copy it, export it, rename it or do anything wth it.
I don't just imagine it, I do it, by using gpg-agent as my ssh-agent and using the private key generated by a Yubikey. Another way is to use tpm2-tools so only your laptop running your own signed boot chain can use the key. It is desirable to lock private key material in a physical thing that is hard to steal.
You can choose not to do this, and that's fine. Hardware attestation is dead because Apple refuses to implement it, so no one can force you to.
Can you explain your motivation around gpg-agent and yubikey little more, please? So the private key can't be copied elsewhere?
1 reply →