←back to thread

Passkeys and Modern Authentication

(lucumr.pocoo.org)
184 points Bogdanp | 2 comments | 02 Sep 25 13:47 UTC | HN request time: 0.614s | source
Show context
alphazard ◴[02 Sep 25 17:11 UTC] No.45105959[source]
Unfortunately the tech community is full of people who pride themselves on being aware of and advocating for the latest standard put out by whatever company. That's how we end up with lots of complicated nonsense like most of what is sent in HTTP headers, or the contents of a TLS certificate.

On the topic of authentication, it's solved. SSH nailed it, any further complexity is strictly worse. Signing up is uploading a public key. Signing in is cryptographically signing a commitment to the current ephemeral tunnel.

replies(10): >>45106121 #>>45106140 #>>45106170 #>>45106176 #>>45106183 #>>45106261 #>>45106406 #>>45106911 #>>45107421 #>>45107745 #
vbezhenar ◴[02 Sep 25 17:24 UTC] No.45106176[source]
ssh is terribly insecure with no way of checking server certificate fingerprint automatically. Web solved it decades ago with CA.
replies(2): >>45106217 #>>45109724 #
rlpb ◴[02 Sep 25 22:04 UTC] No.45109724[source]
OpenSSH supports DNSSEC-published host key fingerprints.
replies(1): >>45109821 #
1. tptacek ◴[02 Sep 25 22:16 UTC] No.45109821[source]
Leaving off everything else I think about DNSSEC, this is a baffling feature. DNS solves the problem of introducing unrelated counterparties, which is not the SSH host key problem --- people generally don't SSH into hosts they're not somehow affiliated with. This is what CA-based PKIs are made for, and OpenSSH has a good (non-X.509) certificate system already; lots of people use it to get e.g. SSO login for SSH.

Tying authenticity to a global, remote set of authorities is a tradeoff we make for anonymous introductions to random web servers whenever we need them. SSH doesn't have that problem, so the tradeoff gets you... nothing?

replies(1): >>45110328 #
2. rlpb ◴[02 Sep 25 23:13 UTC] No.45110328[source]
> people generally don't SSH into hosts they're not somehow affiliated with

git remote add ... git+ssh://user@github.com/... comes to mind as a counterexample, although I admit there aren't many of these examples and GitHub also supports authenticated https:// with git. GitHub don't publish SSHFP DNS records either it seems, but the feature is there in the client.