Conversation
Notices
-
Embed this notice
feld (feld@friedcheese.us)'s status on Thursday, 15-May-2025 23:03:20 JST 
feld
@ignaloidas @wolf480pl @quad I think all that happened was the industry pivoted to Apple's implementation? I get automatic Cloudflare bypass with Safari because of it
https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/-
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:23 JST 
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe What if it turns out webauthn attestation is useful as a captcha / anti-sybil mechanism?FWIW Cloudflare did try that, I don't think anyone was a fan of that and I think they stopped? IDK didn't follow it closely, but it had problems
But I don't think that things are going to change from how they are right now. There is little incentive for 99% of websites to care about attestation, and because implementing it is extra work than not, I don't see that changing, ever. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:24 JST 
Wolf480pl
@ignaloidas @quad okay
Can you promise me thay this won't change in 5 years, due to tangential events?
What if it turns out webauthn attestation is useful as a captcha / anti-sybil mechanism?
Considering that the technical design permits a power shift away from users, how do I know that power shift won't be realized?
-
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:26 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe If it is, it is in no way done through attestation - maybe through abusing their existing monopoly, marketing, and lack of key extraction from their devices - but that's far, far from the "everyone will require attestation and the only attestation that will work will be google's and apple's" that you seem to be proposing
They themselves do not enforce attestation at all, and eveything about suggesting checking attestation on the web is marked as "if you're a high-risk business, you might want to do this, otherwise, don't bother" -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:27 JST
Wolf480pl
@ignaloidas @quad
I claim that this is Google & Apple's attempt at a vendor lock-in -
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:28 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe I don't see it like that at all
like absolutely the fuck not
There are legitimate reasons for both sides of the coin
You're acting as if the decision of some businesses to act more carefully is a part of a plan to lock everybody in to only a cabal of cryptographic implementations and then never let anyone touch their own private keys ever again
This view is just plain paranoia and conspiracy theory. I legitimately cannot understand how are you equating these things together. Genuinely, WTF -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:30 JST
Wolf480pl
@ignaloidas @quad this is like saying "it doesn't matter the ruling party demolished the Supreme Court, because they're not passing any unconstitutional bills yet, except those two minor.ones I don't care about"
-
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:31 JST
Wolf480pl
@ignaloidas @quad you are completely missing the point
-
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:32 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe shrug, as I said, very few websites actually restrict it to "strong" devices.
and them asking for strong devices is kinda equivalent to them asking for strong passwords. they are taking on a risk as well, so they have a valid reason to mitigate it. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:34 JST
Wolf480pl
@ignaloidas @quad having a key trapped in TPM is fine if that's what I chose to do.
Having no option to make some keys to less important / rarely visited sites exportable feels wrong tho.
It's not even about the final decision, it's about who makes the decision.
If I make decision X because I think it's good for my usecase, that's fine.
But if I make the same decision X, in the same usecase, because it was the only option some company made available, that's oppression -
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:36 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe
Unless the RP is braindead stupid, you should be able to add multiple credentials to each one. That's the standard way to do things. Heck, I've seen a guy on HN say that he added "passkeys" from each of his devices to the services he logs into, even though they don't share it.
I have like 4 separate physical keys, with some in cold storage and stuff, and they all get registered on most of my logins. There's no other way to do stuff if you're using physical keys, even. So IMO having a key trapped in a TPM is almost zero disadvantages from usability side, and plenty of advantages from security side. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:37 JST
Wolf480pl
@ignaloidas @quad I need to be able to migrate between devices / OSes / implementations.
Until there's a common API for rotating credentials that all RPs implement, the only realistic way to do that is to export the credentials from the old device and import them to the new one.
-
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:38 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe idk, it's more that, you don't particularly really need to have the ability to get the plaintext of the private key for what this thing is built for. And the ability presents potentials for attacks, and some companies would rather not deal with the "higher risk" credentials if the payout from popping the credential is quite high.
Genuinely don't really see a need to have a simple to pop credential for daily use. For experimenting - sure, but you don't really need such credentials to work on every website anyways. -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:39 JST
Wolf480pl
@ignaloidas @quad
> you can do whatever you want, there's just institutional pressure to make your thing uselessthanks, that cleared all my worries
-
Embed this notice
Ignas Kiela (ignaloidas@not.acu.lt)'s status on Thursday, 15-May-2025 23:03:40 JST
Ignas Kiela
@wolf480pl@mstdn.io @quad@akko.quad.moe I mean, you can implement your own stuff and nobody really restricts what you can do with those private keys
it's just that some websites might not trust your implementation to be secure enough to rely upon (makes sense for some, doesn't for others). -
Embed this notice
Wolf480pl (wolf480pl@mstdn.io)'s status on Thursday, 15-May-2025 23:03:42 JST
Wolf480pl
@quad AFAIK they're a combination of public key auth, UX, and stupid software restrictions meant to reduce your ability to do whatever you want with your private keys
-
Embed this notice
All GNU social JP content and data are available under the