Comment by throwawayk7h

3 days ago

Okay let me withdraw slightly. What I mean is: if I choose of my own free will to not be able to access the bits (e.g. via a cryptoprocessor) then sure, I can still "own" it. And that's the case for certificate authorities. But when vendors force me (with remote attestation) to not be able to access the bits, then I see that as me not having control => me not owning the key.

I'm still just trying to fully understand the delination here. Let's walk through two scenarios.

Service A allows a wide variety of authenticators to store your passkey, it doesn't do any checks at all for the requirement. You choose a USB hardware authenticator. We both agree you own the key in this from what I understand.

Service B allows a stricter list of types of authenticators, and does some checks to ensure you're using an authenticator with a least a certain level of security guarantees. Your USB hardware authenticator meets these requirements. Now this key that is stored in the same place on the same hardware using pretty much the same process is now no longer "yours"?

An interesting perspective to me.