Hacker News new | ask | show | jobs
by jauntywundrkind 316 days ago
The model here feels not entirely dissimilar to Passkeys? Both are user provided auth tokens??

[Ed: allegations that the following is inaccurate! Probably checks out? Yes I meant the browser not the domain bound part, that seems solid.] Pity that Passkeys are so constrained in practice by browsers, that using them pretty much requires you trust the cloud providers absolutely with all your critical keys.
2 comments
johncolanduoni 316 days ago
They're not constrained that way at all. The communication between browsers and various passkey-holding software and hardware is an open standard. There are open-source apps that can hold and sync passkeys. I don't know why everyone keeps repeating this obvious falsehood.
link
danscan 316 days ago
Not sure which way of constraint you're referring to, but WebAuthn credentials are bound to a domain via Relying Party ID.

There's a proposal for cross-domain usage via Related Origins, but that scheme depends on the authority of the relying party, meaning you can't say "I'd like to be represented by the same keypair across this set of unrelated domains"

link
johncolanduoni 316 days ago
I was referring to this:

> Pity that Passkeys are so constrained in practice by browsers, that using them pretty much requires you trust the cloud providers absolutely with all your critical keys.

Passkeys are not constrained so you have to trust cloud providers or anyone else with all your critical keys. The key is resident in whatever software or hardware you want to use, and anyone can create passkey software or hardware that will work with Chrome etc. I'm talking about (and I'm pretty sure the OP was referring to) the other side of WebAuthn: where the credentials surfaced to JavaScript via WebAuthn actually come from and how the browser relays requests that a challenge is signed.

link
danscan 316 days ago
Ah, yes I agree
link
danscan 316 days ago
Yeah, I am sort of a fan of Passkeys in principal, but they are domain bound (you can't use them across domains).

I wish there were something built into browsers that offered a scheme where your pubkey = your identity, but in short there are a lot of issues with that

link