Comment by vel0city

4 days ago

This doesn't change the fact it can still be your physical device that remains in your personal control.

I can stash them on a yubikey or similar device and still meet those requirements. It's still only my device, it doesn't rely on other services, etc.

There are also non-transferrable passkeys which can't be copied between two secure devices, so it'd be hard to get some passkeys onto your yubikey in the first place.

Furthermore, I personally feel that if you can't actually access the bits, you don't truly "own" it.

  • > so it'd be hard to get some passkeys onto your yubikey in the first place.

    It's as easy to get a passkey on it as it was to originally create the first passkey. That's the thing with them. You can make a bunch. It was just as easy to add the first passkey as it was the second and third and fourth and fifth and....

    The point is to not reuse the same passkey everywhere. Same idea as not using the same password everywhere and not reusing the same SSH key everywhere.

    > Furthermore, I personally feel that if you can't actually access the bits, you don't truly "own" it.

    So if a certificate authority uses an HSM to sign certificates do they not own those keys? Who does own it then, nobody?

    If one uses a hardware Bitcoin wallet do they not own those keys?

    Isn't being the exclusive one to operate with the key material with hardware entirely in your possession and control the same as owning it? Why is reading the raw bits the only true level of ownership? Just trying to really understand your perspective.

    • Okay let me withdraw slightly. What I mean is: if I choose of my own free will to not be able to access the bits (e.g. via a cryptoprocessor) then sure, I can still "own" it. And that's the case for certificate authorities. But when vendors force me (with remote attestation) to not be able to access the bits, then I see that as me not having control => me not owning the key.

      1 reply →