| 3 Oct 2024 |
 ElvishJerricco | There are things to use initrd secrets for, like clevis JWTs, and I'm still unconvinced that it's ok to just toss them in the store. | 18:09:59 |
| ElvishJerricco | now, we could implement it way better, but that's another matter | 18:10:57 |
 emily | worth nothing that e.g. WebAuthn depends on shipping around blobs of secure element-encrypted private keys | 18:11:29 |
| emily | * worth noting that e.g. WebAuthn depends on shipping around blobs of secure element-encrypted private keys | 18:11:33 |
| ElvishJerricco | I need to learn more about how WebAuthn actually works... | 18:12:24 |
| emily | (technically that's an implementation detail, but it's how all the serious hardware implementations work for non-resident keys) | 18:13:00 |
| ElvishJerricco | oh, but resident keys are the default, aren't they? | 18:13:24 |
| ElvishJerricco | and by far more common? | 18:13:29 |
| emily | nah | 18:13:31 |
| emily | they're the hot new thing in the form of passkeys, but they were very uncommon for a very long time | 18:13:42 |
| emily | WebAuthn used as a second factor is non-resident | 18:13:48 |
| emily | it's still an explicit opt-in to get resident keys | 18:13:58 |
| emily | but yeah "passkeys" are resident | 18:14:02 |
| ElvishJerricco | ah, I'm thinking of passkeys | 18:14:04 |
| ElvishJerricco | I thought passkeys was just the marketing term for WebAuthn | 18:14:12 |
| emily | they're the marketing term for WebAuthn resident keys, usually WebAuthn resident keys that are backed by multi-device-synced cloud storage | 18:14:40 |
| ElvishJerricco | ah ok interesting | 18:15:15 |
| ElvishJerricco | i know trying to use passkeys with a yubikey can be a problem because yubikeys can only store like 32 of them or something so it basically sucks. Makes me wonder why browsers don't just store the resident stuff themselves and then use the yubikey for decryption. | 18:16:33 |
| emily | (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") | 18:16:47 |
| ElvishJerricco | In reply to @emilazy:matrix.org
(sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") I'm sure that won't ever get cracked :P | 18:17:09 |
| emily | (to maintain the "no private key exfiltration" properties of hardware FIDO2 keys) | 18:17:12 |
| emily | In reply to @elvishjerricco:matrix.org
I'm sure that won't ever get cracked :P if you have a Secure Enclave vulnerability Apple will pay you a lot of money for it | 18:17:31 |
| emily | it's sure better than all the TPM-spec stuff you can buy | 18:17:45 |
| ElvishJerricco | that's fair | 18:17:57 |
 raitobezarius | In reply to @elvishjerricco:matrix.org
yes but nixos doesn't implement that right now because systemd wants you to be booting ukis for their tpm stuff to work UKIs are not needed | 22:34:06 |
| raitobezarius | I have a Lanzaboote PR for systemd credentials | 22:34:15 |
| raitobezarius | It's just stuck alas | 22:34:38 |
| ElvishJerricco | raitobezarius: I know it's not needed but the reason it's not as trivial as it could be is because of Condition=measured-uki on all the TPM related systemd units | 22:35:13 |
| ElvishJerricco | though I think lanzaboote fills that condition | 22:35:26 |
| raitobezarius | There's a PR that fixes the measurements which just need a rebase, yes | 22:36:26 |
