No, they're just resident webauthn credentials which use asymmetric crypto.

> very obviously once Passkeys are everywhere it'll become "we're requiring attestation from approved device bootloaders/enclaves"

This is far from very obvious, especially given that Apple have gone out of their way to not provide attestation data for keychain passkeys. Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.

If there's no intention of doing this, it should be removed from the protocol. "I promise we'll never use this feature, so long as you implement it" isn't very convincing.

Not all people who want to replace passwords are running services available to the general public.

There are a bunch of service provider contexts where credential storage attestation is a really useful (and sometimes legally required!) feature.

Great, they can use standards that aren't targeted at running services for the general public. It seems like the requirements already diverged.

Drop attestation from passkeys, and I become a promoter. Keep it, and I suggest people stay away.

If it's not something anyone intends to use on public services, this should be uncontroversial. Dropping attestation simplifies implementation, and makes adoption easier as a result.

What makes you think that the Webauthn standards are "targeted at running services for the general public"?

> It seems like the requirements already diverged.

No, the requirements are _contextual_. This isn't a new idea.

The fact that sites targeted at the general public are prompting me to use them. Should websites avoid using passkeys and webauthn? Would you like to tell them that they're doing it wrong?

I missed a word out from my question. Let me try again.

What makes you think that the Webauthn standards are _only_ "targeted at running services for the general public"?

Yeah, so if you want me to trust them, the harmful parts need to get removed from specs used in public contexts.

I would love to use public key cryptography to authenticate with websites, but enabling remote attestation is unacceptable. And pinky swears that attestation won't be used aren't good enough. I've seen enough promises broken. It needs to be systematic, by spec.

Passwords suck. It's depressing that otherwise good alternatives carry poisonous baggage.

If you make something possible, it will be used.

> If you make something possible, it will be used.

Sure, but that's not without tradeoffs. I come back to:

> Any service requiring attestation for passkeys will effectively lock out every iPhone user - not going to happen.

And I come back to: if it would never work, why not drop support? "We pinky promise" is just not good enough.

> if it would never work, why not drop support?

Because passkeys are designed to replace passwords across multiple different service contexts, that have different requirements. Just because there's no reason to use it for one use case doesn't mean it's not actually useful in a different one. See things like FIPS140 (which everyone ignores unless they're legally required not to).

Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process? Why would they decide to wake up and say "I know, I'm going to require that all of my users authenticate just with a Yubikeys and nothing else"?

> Can you sketch out for me the benefit of a public-facing service deciding to require passkey attestation? What's the thought process?

A misguided administrator is very likely to think "They can't use a malicious device to access our service".

What's the benefit for a private service?

Is there a difference? It's a field in the response payload that nobody is filling out except the corps that need it. Would it make you feel better if they moved it to an appendix and called it an optional extension?

> Would it make you feel better if they moved it to an appendix and called it an optional extension?

That kind of thing can make a huge difference once this standard starts becoming e.g. required for government procurement.

As long as it required an extension and extra application.

I should need to install an enterprise authenticator app, which speaks webpki-enterprise, if you want to enable that shit.

There's a tension here between "user freedom" and a service wanting to make sure that credentials that it trusts to grant access to stuff aren't just being yolo'd around into textfiles on people's dropboxes.

People forget that one of the purposes of authentication is to protect both the end user and the service operator.

Sure, but as long as the fallback for account recovery is sending a reset email or sms (both of which are similar or worse than yoloing textfiles on dropboxes), that's a very tough argument to make in good faith.

I agree that account recovery isn't the best. But just because that sucks doesn't mean there's zero value in improving credentials.

What people do on their own computer is none of the service's business.

It is if it puts the service at risk.

This attitude has got to stop. Is it not enough that there's no customer service and it's almost impossible to sue these companies thanks to arbitration clauses? Now they need to have control over our computing to keep themselves safe? And how many recorded incidents of losing an account because someone had their "password in a text file" are even out there? The most common scenarios one hears about are either phishing or social engineering.

Do you think someone running a service that's under constant denial-of-service attacks would be sympathetic to the argument that "What people do on their own computer is none of the service's business".

Pretty much every service out there has "don't share credentials" in their ToU. You don't have to like it, but you also don't have to accept the ToU.

Note the scare quotes around user freedom. Perhaps user freedom is a notorious fake issue, a bizarre misconception, or an exotic concept that nobody understands.

I don't know what "scare quotes" are. They're just regular quotation marks, because I'm quoting.

Sure, I stand corrected, you "don't know" what I'm talking about.

Literally no idea.

My point was that freedom is not an absolute, it's balanced against other freedoms. It's hard to tell whether you agree with that or not.

What does Microsoft stand to lose if someone steals my passkey for Outlook from a text file I yolo'd into a Dropbox?

Without a lock file your transitive dependencies are.... by definition not centralised?

Or have I misunderstood?

> but I'm really good at my job

How good you think you are at your job is pretty meaningless if some manager above you wants to weaponise the company's perf policy against you.

I'm good enough at my job to see that when it's happening. That's one reason why I didn't say 'I think.' Another is because I know the way to bet is that, with this weapon forbidden, others will be found to replace it. Why go into any of that without even the promise of hazard pay? I'd rather just do honest work.

This "job" that you speak of, that you are so good at. Are you... at it now?

> This "job" that you speak of, that you are so good at. Are you... at it now?

Hello, Bryan! No, I'm on my own dime, no one else's. But it's decent of you to show such concern over my situation, in these uncertain times.

> One should be able to map, protect, etc memory ranges down to byte granularity - which is the granularity of everything else in computers.

But you can do this, you simply have to pay the cost of using PAGE_SIZE of memory per byte you want to protect?

One of the biggest fallacies I see in this space is people looking at an observability standard like otel and thinking "I must enable all of that".

You really don't have to.

Throw away traces. Throw away logs. Sample those metrics. The standard gives you capabilities, it doesn't force you to use them. Tune based on your risk appetite, constraints, and needs.

My other favourite retort to "look how expensive the observability is" is "have you quantified how expensive not having it is". But I reserve that one for obtuse bean counters :)

The onus is on the one asking to spend the money to demonstrate and quantify the business value and compare it to alternatives. Our field could do with a bit more justifying our purchases with dollar values.

I agree. But not enough people are costing out the 'do nothing' option (it's not zero!).

Everyone knows that a donut has two sides.

Inside, and outside.

> Worse, they’re using it for massive commercial gain, without paying a dime upstream to the supply chain that made it possible. If there is any purpose of copyright at all, it’s to prevent making money from someone’s else’s intellectual work.

This makes no sense. If I buy and read a book on software engineering, and then use that knowledge to start a career, do I owe the author a percentage of my lifetime earnings?

Of course not. And yet I've made money with the help of someone else's intellectual work.

Copyright is actually pretty narrowly defined for _very good reason_.

> If I buy and read a book on software engineering

You're comparing that you as an individual purchase one copy of a book to a multi-billion dollar company systematically ingesting them for profit without any compensation, let alone proportional?

> do I owe the author a percentage of my lifetime earnings?

No, but you are a human being. You have a completely different set of rights from a corporation, or a machine. For very good reason.

Does copyright law apply differently to humans Vs organisations?

> without any compensation,

Didn't Anthropic buy the books?

If you pirate a book on software engineering and then use that knowledge to start a career, do you owe the author the royalties they would be paid had you bought the book?

If the career you start isn't software engineering directly but instead re-teaching the information you learned from that book to millions of paying students, is the regular royalty payment for the book still fair?

Everyone seems to miss the "single unbreakable pki" aspect that necessarily comes along with the design. :shrug: