Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://mitra.social/objects/0185b70d-5842-2b37-c276-3417115f8a40">silverpill (silverpill@mitra.social)'s status on Monday, 16-Jan-2023 05:10:26 JST</a><a href="https://mitra.social/users/silverpill" title="silverpill@mitra.social"><img src="https://gnusocial.jp/avatar/85321-48-20230105202807.webp" width="48" height="48" alt="silverpill" style="position: absolute; left: 0; top: 0;">silverpill</a><div><a href="https://were.social/objects/d6e3c3d1-018d-4406-8caa-1d220f5a2da3" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p><a href="https://were.social/users/arcanicanis">@arcanicanis</a> For me the most interesting part of the standard (as you described it) is where device generates app-specific key from a master key and presents it to a service. The lack of this feature is one of the major flaws in existing browser wallets. For example, in MetaMask you are supposed to use one account for everything, so all your activities across the web are linked (it's possible to use multiple accounts but it's very cumbersome).<br>I'm not really interested in hardware tokens because I generally don't trust "trusted" hardware (it's a natural place to put a backdoor). Also, hardware tokens are bad from a physical security perspective: once hardware token is found, all your secrets can easily be extracted with rubber-hose cryptanalysis. It's much easier to hide a key file, you can even hide it in plain sight using steganography.</p><p>&gt;you could do a software-based token</p><p>Have you seen anyone implementing that?</p><p>&gt;pi-zero-security-key</p><p>I like this idea, but the project looks abandoned (no commits since 2020).</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/1037994#notice-2311927">In conversation</a><time datetime="2023-01-16T05:10:26+09:00" title="Monday, 16-Jan-2023 05:10:26 JST">Monday, 16-Jan-2023 05:10:26 JST</time> <span>from <span><a href="https://mitra.social/objects/0185b70d-5842-2b37-c276-3417115f8a40" rel="external" title="Sent from mitra.social via ActivityPub">mitra.social</a></span></span><a href="https://mitra.social/objects/0185b70d-5842-2b37-c276-3417115f8a40">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
silverpill (silverpill@mitra.social)'s status on Monday, 16-Jan-2023 05:10:26 JSTsilverpill
in reply to
- arcanicanis
@arcanicanis For me the most interesting part of the standard (as you described it) is where device generates app-specific key from a master key and presents it to a service. The lack of this feature is one of the major flaws in existing browser wallets. For example, in MetaMask you are supposed to use one account for everything, so all your activities across the web are linked (it's possible to use multiple accounts but it's very cumbersome).
I'm not really interested in hardware tokens because I generally don't trust "trusted" hardware (it's a natural place to put a backdoor). Also, hardware tokens are bad from a physical security perspective: once hardware token is found, all your secrets can easily be extracted with rubber-hose cryptanalysis. It's much easier to hide a key file, you can even hide it in plain sight using steganography.
>you could do a software-based token
Have you seen anyone implementing that?
>pi-zero-security-key
I like this idea, but the project looks abandoned (no commits since 2020).
In conversationMonday, 16-Jan-2023 05:10:26 JST from mitra.socialpermalink

Public

Embed Notice

HTML Code

Corresponding Notice