←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 3 comments | 02 Sep 25 13:47 UTC | HN request time: 0.25s | source
Show context
alphazard ◴[02 Sep 25 17:11 UTC] No.45105959[source]
Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

replies(10): >>45106121 #>>45106140 #>>45106170 #>>45106176 #>>45106183 #>>45106261 #>>45106406 #>>45106911 #>>45107421 #>>45107745 #
adiabatichottub ◴[02 Sep 25 18:12 UTC] No.45106911[source]
@alphazard, what are your thoughts on using self-signed X.509 certs, since 95% of the infrastructure is already there?
replies(1): >>45107097 #
1. alphazard ◴[02 Sep 25 18:27 UTC] No.45107097[source]
I'm opposed to using certs where public keys will do. Certificates especially X.509 are more complicated than the public keys that they reference. They include things like domain names, serial numbers, version numbers, etc.

The complexity of X.509 belongs in the domain name system. If a bunch of large corporations want to come up with complicated formats so they can decide who gets to call themselves what on the internet, let them do that, but don't let them complicate basic security for the rest of us.

The experience to beat is swapping SSH keys. 95% of developers have setup access to a new machine using SSH. That should be the default experience for authenticating on the internet, and anything more complicated should be strictly opt-in.

replies(2): >>45107271 #>>45110515 #
2. adiabatichottub ◴[02 Sep 25 18:40 UTC] No.45107271[source]
Yes, I agree much of the added complexity isn't necessary, but since TLS is a common and widely used protocol for just about everything other than SSH, it seems like it would be easier to plug in.

Edit: or put another way, why should I have to load another library for PKA when I already have one that works just fine?

3. kbolino ◴[02 Sep 25 23:37 UTC] No.45110515[source]
DNS for key management is nonviable due to the lack of uptake of DNSSEC. Though it's an interesting hypothetical question whether that would still have been the case without X.509.