Skip to main content

It’s very interesting reading this and related threads on Web Authentication (“passkeys”).

The ability for people to use their created/associated key material to sign and encrypt their communication would be a huge boon for decentralised web applications. And yet, of course, the related W3C groups reject the use case. Because allowing people (instead of the corporations the W3C represents) to control their own identities is anathema to Big Tech.

github.com/w3c/webauthn/issues…

#bigTech #w3c


Can the private keys be used for other cryptographic operations? · Issue #1595 · w3c/webauthn

For example, can they be used to sign and encrypt data the client passes? This goes beyond authentication, so it may be fair to consider it out of scope, given that "authn" is in the spec...
GitHub
#w3c #bigtech
in reply to Aral Balkan

Dawid Rejowski
Dawid Rejowski
Interesting if it be possible to develop a solution like that for our little decentralized solutions like Mastodon, Matrix and others.
We can work together, right?
in reply to Dawid Rejowski

Aral Balkan
Aral Balkan

Well, it looks like “passkeys” are about to get a huge push with Apple, etc., behind them. I’d ideally love to be able to implement a frictionless authentication process like that that also enables people to derive and use their own private keys automatically.

Barring that, my current flow is to generate a Diceware passphrase that all other key material is derived from (signing, encryption, ssh keys, etc.) and which you’re expected to keep in your password manager.

in reply to Aral Balkan

Aral Balkan
Aral Balkan

But yes, the whole idea of small web relies on people owning and controlling their own keys (ideally, without knowing what keys are or how they work), so they can have ownership/control of their online identities and be able to communicate both privately (end to end encrypted) and publicly.

I’d welcome any movement to interoperate on such a system.

in reply to Aral Balkan

Dawid Rejowski
Dawid Rejowski
Passwordless authentication would become a huge cake once people realize they can just get rid of managing passwords.
Apple has taken the big bite, really big as they would build that in the OS.
Also they got dibs on the name "passkeys", for me it could be cool general name, but now everybody would associate "passkeys" with Apple.
in reply to Aral Balkan

Eliot B
Eliot B
I have the same gripe with New Zealand's "RealMe" realme.govt.nz/ - "The easiest and most secure way to prove your identity online" . Having jumped through the ID hoops it can even be used to renew a passport, yet they don't provide digital certificates/keys to allow people to sign/encrypt things. I asked, and also got the answer that those things are "out of scope" - a missed opportunity!

Home

RealMe is an initiative from the New Zealand government and New Zealand Post to make doing things online easier and more secure.
www.realme.govt.nz