3 Oct 2024 |
emily | * worth noting that e.g. WebAuthn depends on shipping around blobs of secure element-encrypted private keys | 18:11:33 |
ElvishJerricco | I need to learn more about how WebAuthn actually works... | 18:12:24 |
emily | (technically that's an implementation detail, but it's how all the serious hardware implementations work for non-resident keys) | 18:13:00 |
ElvishJerricco | oh, but resident keys are the default, aren't they? | 18:13:24 |
ElvishJerricco | and by far more common? | 18:13:29 |
emily | nah | 18:13:31 |
emily | they're the hot new thing in the form of passkeys, but they were very uncommon for a very long time | 18:13:42 |
emily | WebAuthn used as a second factor is non-resident | 18:13:48 |
emily | it's still an explicit opt-in to get resident keys | 18:13:58 |
emily | but yeah "passkeys" are resident | 18:14:02 |
ElvishJerricco | ah, I'm thinking of passkeys | 18:14:04 |
ElvishJerricco | I thought passkeys was just the marketing term for WebAuthn | 18:14:12 |
emily | they're the marketing term for WebAuthn resident keys, usually WebAuthn resident keys that are backed by multi-device-synced cloud storage | 18:14:40 |
ElvishJerricco | ah ok interesting | 18:15:15 |
ElvishJerricco | i know trying to use passkeys with a yubikey can be a problem because yubikeys can only store like 32 of them or something so it basically sucks. Makes me wonder why browsers don't just store the resident stuff themselves and then use the yubikey for decryption. | 18:16:33 |
emily | (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") | 18:16:47 |
ElvishJerricco | In reply to @emilazy:matrix.org (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") I'm sure that won't ever get cracked :P | 18:17:09 |
emily | (to maintain the "no private key exfiltration" properties of hardware FIDO2 keys) | 18:17:12 |
emily | In reply to @elvishjerricco:matrix.org I'm sure that won't ever get cracked :P if you have a Secure Enclave vulnerability Apple will pay you a lot of money for it | 18:17:31 |
emily | it's sure better than all the TPM-spec stuff you can buy | 18:17:45 |
ElvishJerricco | that's fair | 18:17:57 |
raitobezarius | In reply to @elvishjerricco:matrix.org yes but nixos doesn't implement that right now because systemd wants you to be booting ukis for their tpm stuff to work UKIs are not needed | 22:34:06 |
raitobezarius | I have a Lanzaboote PR for systemd credentials | 22:34:15 |
raitobezarius | It's just stuck alas | 22:34:38 |
ElvishJerricco | raitobezarius: I know it's not needed but the reason it's not as trivial as it could be is because of Condition=measured-uki on all the TPM related systemd units | 22:35:13 |
ElvishJerricco | though I think lanzaboote fills that condition | 22:35:26 |
raitobezarius | There's a PR that fixes the measurements which just need a rebase, yes | 22:36:26 |
raitobezarius | I may have spoons at some point | 22:36:37 |
4 Oct 2024 |
| @ajcxz0:matrix.org left the room. | 01:00:46 |
5 Oct 2024 |
ElvishJerricco | Jan Tojnar: Hey, did you have anything worth sharing on the luks gnome keyring thing? I know you didn't get very far but I'm bored and want to take a look into it tonight :P | 01:16:22 |