Skip to main content


It’s very interesting reading this and related threads on Web Authentication (“passkeys”).

The ability for people to use their created/associated key material to sign and encrypt their communication would be a huge boon for decentralised web applications. And yet, of course, the related W3C groups reject the use case. Because allowing people (instead of the corporations the W3C represents) to control their own identities is anathema to Big Tech.

github.com/w3c/webauthn/issues…

#bigTech #w3c

in reply to Aral Balkan

Interesting if it be possible to develop a solution like that for our little decentralized solutions like Mastodon, Matrix and others.
We can work together, right?
in reply to Dawid Rejowski

Well, it looks like “passkeys” are about to get a huge push with Apple, etc., behind them. I’d ideally love to be able to implement a frictionless authentication process like that that also enables people to derive and use their own private keys automatically.

Barring that, my current flow is to generate a Diceware passphrase that all other key material is derived from (signing, encryption, ssh keys, etc.) and which you’re expected to keep in your password manager.

in reply to Aral Balkan

But yes, the whole idea of small web relies on people owning and controlling their own keys (ideally, without knowing what keys are or how they work), so they can have ownership/control of their online identities and be able to communicate both privately (end to end encrypted) and publicly.

I’d welcome any movement to interoperate on such a system.

in reply to Aral Balkan

Passwordless authentication would become a huge cake once people realize they can just get rid of managing passwords.
Apple has taken the big bite, really big as they would build that in the OS.
Also they got dibs on the name "passkeys", for me it could be cool general name, but now everybody would associate "passkeys" with Apple.
in reply to Aral Balkan

I have the same gripe with New Zealand's "RealMe" realme.govt.nz/ - "The easiest and most secure way to prove your identity online" . Having jumped through the ID hoops it can even be used to renew a passport, yet they don't provide digital certificates/keys to allow people to sign/encrypt things. I asked, and also got the answer that those things are "out of scope" - a missed opportunity!