Hi, since you mentioned me, that's not what was said and putting it in quotes as if I did is really inappropriate.

I'll post the same response I replied to other on a different thread:

Wild that you (and a few others) continue to make these accusations about me in these comments (and in other venues).

1) I've been one of the most vocal proponents of synced passkeys never being attested to ensure users can use the credential manager of their choice

2) What makes you think I have any say or control over the hundreds of millions of websites and services in the world?

3) There is no known synced passkey credential manager that attests passkeys.

tl;dr attestation does not exist in the consumer synced passkey ecosystem. Period.

▲

jorams 9 days ago | parent | next [-]

They paraphrased what you said in the thread, but I don't think it's much of a misrepresentation.

You may have "been one of the most vocal proponents of synced passkeys never being attested to ensure users can use the credential manager of their choice", but as soon as one such credential manager allows export that becomes "something that I have previously rallied against but rethinking as of late because of these situations".

There may not currently be attestation in the consumer synced passkey ecosystem, but in the issue thread you say "you risk having KeePassXC blocked by relying parties".

The fact that that possibility exists, and that the feature of allowing passkeys to be exported is enough to bring it up, is a huge problem. Especially if it's coming from "one of the most vocal proponents of synced passkeys never being attested", because that says a lot about whoever else is involved in protocol development.

▲

timmyc123 9 days ago | parent [-]

You should really re-read the entire discussion. It wasn't about passkeys being able to be exported. It was specifically about clear text export.

> The fact that that possibility exists,

The possibility does not exist in the consumer synced passkey ecosystem. The post is from a year and a half ago.

▲

lelandbatey 8 days ago | parent [-]

A year and a half ago doesn't really matter; that this was ever even a concern from the industry, something that the industry could make happen at all, or even just was thinking about doing at some point in the past, poisons the entire effort. In a world where password+totp already exists and requires almost no hoops, no dependencies and is incredibly secure vs basic password flows, it's no wonder that folks remember discussions around curtailing user freedom around a new authentication pattern which already was less convenient, offers less user control, and further centralizes infrastructure in the hands of a few major brokers of technological power.

Until we have full E2E passkey implementations that are completely untethered from the major players, where you can do passkey auth with 3 raspberry pi's networked together and no broader internet connection, the security minded folks who have to adopt this stuff are going to remember when someone in the industry publicly said "if you don't use a YubiKey/iPhone/Android and connect to the internet, ~someone~ might ban you from using your authenticator of choice."

	▲	timmyc123 8 days ago \| parent [-]
		> Until we have full E2E passkey implementations that are completely untethered from the major players, where you can do passkey auth with 3 raspberry pi's networked together and no broader internet connection This is already possible today. And since it's a completely open ecosystem, you can even build your own credential manager if you choose!

▲

63stack 8 days ago | parent | prev [-]

I don't believe it is a misrepresentation, you are bullying a project for letting users backup their own passkeys.

>which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).

This is exactly why we need truly open standards, so people who believe they are acting for the greater good can't close their grubby hands over the ecosystem.