| 11 Jun 2023 |
 @elvishjerricco:matrix.org | but sealing a key is just as good | 06:48:01 |
| @elvishjerricco:matrix.org | or, no, you want to do the actual auth crypto on the tpm and never on the host | 06:48:17 |
| @elvishjerricco:matrix.org | hm | 06:48:23 |
 K900 | Yep | 06:48:26 |
| K900 | You should be able to | 06:48:32 |
| @elvishjerricco:matrix.org | yea I dunno the details well enough to be sure | 06:48:41 |
| @elvishjerricco:matrix.org | but it sounds possible | 06:48:48 |
| K900 | One problem with that is that I'm not sure you can authenticate as the same machine more than once on Tailscale | 06:52:21 |
| K900 | At least with Headscale you have to manually remove the old node | 06:52:38 |
| @elvishjerricco:matrix.org | oh, wait, which level of auth are we talking about? The SSO thing where you actually login for the first time and add the node? Or the auth that occurs just be starting tailscaled back up again? | 06:53:37 |
| @elvishjerricco:matrix.org | * oh, wait, which level of auth are we talking about? The SSO thing where you actually login for the first time and add the node? Or the auth that occurs just by starting tailscaled back up again? | 06:53:50 |
| K900 | The SSO auth | 06:54:30 |
| @elvishjerricco:matrix.org | I see | 06:54:37 |
| K900 | The second auth just uses the token that's persisted on disk | 06:54:40 |
| @elvishjerricco:matrix.org | right I thought you were talking about persisting that token in the TPM instead somehow | 06:54:58 |
| @elvishjerricco:matrix.org | because I'm guessing that token is generated locally and then certified by the SSO? | 06:55:42 |
| @elvishjerricco:matrix.org | If it's generated locally you can do that part on the TPM and leave it there | 06:55:52 |
| K900 | I don't know if it is | 06:55:59 |
| K900 | But I don't think so? | 06:56:01 |
| @elvishjerricco:matrix.org | bummer | 06:56:10 |
| @elvishjerricco:matrix.org | secrets should always be generated locally | 06:56:26 |
| 13 Jun 2023 |
| K900 changed their display name from K900 to K900 (Old). | 20:51:50 |
| K900 invited  K900 (deprecated). | 21:09:07 |
| K900 (deprecated) joined the room. | 21:11:29 |
| 14 Jun 2023 |
|  @raphi:tapesoftware.net changed their display name from raphi (element unread channel fix when) to raphi. | 07:03:17 |
 Arian | oidc is realy meany for third-party auth though | 12:32:46 |
| Arian | Tailscale recently also added Webauthn support for first-party log in | 12:32:56 |
| Arian | and converting a TPM attestation to a Webauthn sig is actually defined in the CTAP/Webauthn spec | 12:33:08 |
| Arian | But if you wanna go the OIDC route. if you're on Google Cloud they now have an attestation service that allows you to exchange TPM quotes for OIDC tokens signed by accounts.google.com, | 12:34:02 |
| Arian | they'll check the EKCert and see if the hardware is signed by google and then give you an oidc token back | 12:34:31 |
