Comment by throwawayk7h
4 days ago
that's not true. Passkeys have an optional remote attestation capability, which second parties can use to completely enforce aspects of your keys, such as them being non-transferrable or not usable without a screen touch etc.
Passkeys (as defined in the spec) by definition don't.
Non-passkey WebAuthn keys can have additional attestations.
You don't consider WebAuthn to be passkeys? Why not?
Passkeys are a subtype of WebAuthn keys, not vice versa.
1 reply →
This doesn't change the fact it can still be your physical device that remains in your personal control.
I can stash them on a yubikey or similar device and still meet those requirements. It's still only my device, it doesn't rely on other services, etc.
There are also non-transferrable passkeys which can't be copied between two secure devices, so it'd be hard to get some passkeys onto your yubikey in the first place.
Furthermore, I personally feel that if you can't actually access the bits, you don't truly "own" it.
> so it'd be hard to get some passkeys onto your yubikey in the first place.
It's as easy to get a passkey on it as it was to originally create the first passkey. That's the thing with them. You can make a bunch. It was just as easy to add the first passkey as it was the second and third and fourth and fifth and....
The point is to not reuse the same passkey everywhere. Same idea as not using the same password everywhere and not reusing the same SSH key everywhere.
> Furthermore, I personally feel that if you can't actually access the bits, you don't truly "own" it.
So if a certificate authority uses an HSM to sign certificates do they not own those keys? Who does own it then, nobody?
If one uses a hardware Bitcoin wallet do they not own those keys?
Isn't being the exclusive one to operate with the key material with hardware entirely in your possession and control the same as owning it? Why is reading the raw bits the only true level of ownership? Just trying to really understand your perspective.
2 replies →