Hacker News new | ask | show | jobs
by md_ 1576 days ago
> People love wireguard for its simplicity because it doesn’t use certs and PAKEs and whatnot.

I don't know of a VPN that uses PAKE, so I don't get this comparison, but whatever.

My point about certs was that OP was effectively proposing self-signed X509 client certs. It's unclear to me in what way those are harder to use than the proposal here, except that they actually are a widely accepted standard with user agent support.

> WebAuthn’s crowd and browser implementers on the other hand seem fixated on making sure users never have the option to deploy the protocol in such a way. That’s the problem.

https://github.com/herrjemand/awesome-webauthn#software-auth...?
1 comments
dcow 1575 days ago
It kinda feels like you’re deliberately talking around my point. I’m not saying existing VPNs use PAKEs and it makes them bad. I’m saying you don't need a PAKE to have “modern” authentication. And look at wireguard which is loved for being a dead simple protocol that uses raw keypairs. Therefor it’s not absurd to imagine a very simple protocol like this.

You are correct that client certs have user agent support. Honestly it’s a pretty poor UX though. Have you actually tried building a consumer application that uses client certs in the browser? Good luck getting users to install client certs. Client certs work fine everywhere else where you can run bespoke client software (native apps) except for the part where they authenticate the connection and not the request, but that’s not the point either.

Anyway it’s great that other implementations of webauthn exist. But like I just said for client certs: outside of the browser anyone can do anything so webauthn is not a game changer there (not to downplay it). Where WebAuthn matters is for client authentication in the browser and in that arena it is locked down to platform auth and hardware device auth mechanisms. There is no way users could benefit from webauthn right now without the browser-supplied UX.

All I’m saying is that WebAuthn would be way more viable in the way people are asking for in this thread if for example browsers/platforms allowed extensions to participate as a soft WebAuthn agent so that users could choose their preferred WebAuthn backend and UX instead of the browser supplied options. The browser client cert UX sucks and so does browser vendor WebAuthn and I think their adoption story is all the proof you need.

link