| 3 Oct 2024 |
 emily | anyway, I think it makes more sense to let the TPM handle all key management if possible rather than wrapping keys with TPM keys | 18:07:30 |
| emily | for preventing post-boot leaks, that's why you can use the TPM to make key access conditional on the stage of boot, right? | 18:07:42 |
| emily | (I haven't actually worked with TPM2 because the API is awful to me, but I believe this is meant to be part of the capabilities.) | 18:08:01 |
 ElvishJerricco | yes but nixos doesn't implement that right now because systemd wants you to be booting ukis for their tpm stuff to work | 18:08:34 |
| emily | well, so we fix that and then kill off initrd secrets :) | 18:08:52 |
| ElvishJerricco | meh | 18:09:01 |
| ElvishJerricco | initrd secrets are useful | 18:09:06 |
| emily | nobody should be relying on any of this for security without secure boot anyway | 18:09:09 |
| ElvishJerricco | There are things to use initrd secrets for, like clevis JWTs, and I'm still unconvinced that it's ok to just toss them in the store. | 18:09:59 |
| ElvishJerricco | now, we could implement it way better, but that's another matter | 18:10:57 |
| emily | worth nothing that e.g. WebAuthn depends on shipping around blobs of secure element-encrypted private keys | 18:11:29 |
| emily | * worth noting that e.g. WebAuthn depends on shipping around blobs of secure element-encrypted private keys | 18:11:33 |
| ElvishJerricco | I need to learn more about how WebAuthn actually works... | 18:12:24 |
| emily | (technically that's an implementation detail, but it's how all the serious hardware implementations work for non-resident keys) | 18:13:00 |
| ElvishJerricco | oh, but resident keys are the default, aren't they? | 18:13:24 |
| ElvishJerricco | and by far more common? | 18:13:29 |
| emily | nah | 18:13:31 |
| emily | they're the hot new thing in the form of passkeys, but they were very uncommon for a very long time | 18:13:42 |
| emily | WebAuthn used as a second factor is non-resident | 18:13:48 |
| emily | it's still an explicit opt-in to get resident keys | 18:13:58 |
| emily | but yeah "passkeys" are resident | 18:14:02 |
| ElvishJerricco | ah, I'm thinking of passkeys | 18:14:04 |
| ElvishJerricco | I thought passkeys was just the marketing term for WebAuthn | 18:14:12 |
| emily | they're the marketing term for WebAuthn resident keys, usually WebAuthn resident keys that are backed by multi-device-synced cloud storage | 18:14:40 |
| ElvishJerricco | ah ok interesting | 18:15:15 |
| ElvishJerricco | i know trying to use passkeys with a yubikey can be a problem because yubikeys can only store like 32 of them or something so it basically sucks. Makes me wonder why browsers don't just store the resident stuff themselves and then use the yubikey for decryption. | 18:16:33 |
| emily | (sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") | 18:16:47 |
| ElvishJerricco | In reply to @emilazy:matrix.org
(sometimes very fancy syncing protocols, like "confirming via Secure Enclave attestation that the receiving end is a legitimate device that we want to smuggle our precious private keys directly encrypted to it to") I'm sure that won't ever get cracked :P | 18:17:09 |
| emily | (to maintain the "no private key exfiltration" properties of hardware FIDO2 keys) | 18:17:12 |
| emily | In reply to @elvishjerricco:matrix.org
I'm sure that won't ever get cracked :P if you have a Secure Enclave vulnerability Apple will pay you a lot of money for it | 18:17:31 |
