[saag] Passkeys is being deployed, device portability messaging is cloudy.
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 04 May 2023 16:16 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 140C5C152D81 for <saag@ietfa.amsl.com>; Thu, 4 May 2023 09:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfUCmYlPP2-v for <saag@ietfa.amsl.com>; Thu, 4 May 2023 09:16:40 -0700 (PDT)
Received: from mail-oi1-f173.google.com (mail-oi1-f173.google.com [209.85.167.173]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 781B0C1522C8 for <saag@ietf.org>; Thu, 4 May 2023 09:16:40 -0700 (PDT)
Received: by mail-oi1-f173.google.com with SMTP id 5614622812f47-38de3338abeso383606b6e.1 for <saag@ietf.org>; Thu, 04 May 2023 09:16:40 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683216999; x=1685808999; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=LeCL/FYs06yodqFab1koT6JSnrqXHI7PeeUlQwakRK8=; b=ggV31coThr9JejeJYHn14XFh8WO9ya9X7JFf1bu+qK+vEB8o/9XgehWgxIHjmFkD11 mfVHEojlhZ56NHczUQX0QKe5JzUKkJoVuxzidtUZXv0vqCTW4RaRwPaOKmHcm58nnZV1 Wkq4LeKjX4Mw/DL61an/8dFBPbr6Vb1+eESL4fuXdbXAYx5LbAAPG+fCrPOpSZWSC9UN oTCP0sWudIZuZ1u7yEXYfh5NOHojYKSG/+hfhGGCEi/KlA2use7aBJQBSQpw7cLIlgap nSko6dhy3F0eOxCQoTE3fDNp7GVS8dZDlzFcgqT1dRJLHNldBTmCSWSK86FFK2OdLRJH D/CQ==
X-Gm-Message-State: AC+VfDxC55H7J1Yzvn6y957H4hZQbvolP1Ba/7Y4NBKlVNL1+T7RAQQb ZFt4GdKCWKJB0OZrqhlOVsnEkhE1S2nEY/5+wwtVtzdH
X-Google-Smtp-Source: ACHHUZ752xSVAgcNZxoogf8CFm2XI4f7iaQtohHI7LgMqtqWAS7oK6LWOAlWqUNl5dQXMmolLk6e/W6SbKZqvZt3dIQ=
X-Received: by 2002:a05:6808:f06:b0:38d:fa26:3bb4 with SMTP id m6-20020a0568080f0600b0038dfa263bb4mr2318006oiw.22.1683216999335; Thu, 04 May 2023 09:16:39 -0700 (PDT)
MIME-Version: 1.0
From: Phillip Hallam-Baker <phill@hallambaker.com>
Date: Thu, 04 May 2023 12:16:29 -0400
Message-ID: <CAMm+Lwhedt1-6vNEtBPEPWU-ZocHbm9A5FO8DGE13W1V3LD-Xg@mail.gmail.com>
To: IETF SAAG <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000534c2e05fae07f0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/HaCtBUlaslsQUrRMrVg2gavnUZM>
Subject: [saag] Passkeys is being deployed, device portability messaging is cloudy.
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2023 16:16:41 -0000
I am seeing a great deal of buzz about Passkeys (again) and seeing stories that passwords are obsolete (again). I am also seeing two arguments being made about device portability. A) FIDO doesn't solve the device portability issue and so enabling Passkeys on my desktop doesn't mean I can use it on my phone. B) FIDO does solve this problem through bridges and if I use Apple all my keys will magically sync to all my apple devices, if I use Android... so portability with silos which could be solved by using a third party solution. The problem I am having with B is that 'read the Javascript API' doesn't give me the feeling this is a problem that is solved as far as users are concerned. I raised the multiple device issue before the FIDO organization was set up in 2012. So I just thought I would remind people that the multiple device problem is what I designed the Mesh to solve. The problem of managing credentials across a collection of multiple devices from different vendors is what brought me to develop the threshold approaches. The Mesh can roam SSH, S/MIME and code signing keys today. I can easily add support for WebAuthn. All I need to know is what sockets to plug into on the various platforms. That is, which keystore identifiers should I use on each platform. Now I have added a lot more to my platform than just managing public key credentials across devices, it can also manage passwords and contacts, secure data at rest, establish end-to-end secure group discussions and a lot more but it is not necessary for an application to implement all of that functionality. Though if you are going to use the Mesh to roam public key credentials, you will probably want to use it for your password manager as well.
- [saag] Passkeys is being deployed, device portabiā¦ Phillip Hallam-Baker