Support for passkeys?

[NfNitLoop]

Password managers have been implementing a new "security keys" feature.

Can that be used to sign Items in Diskuto?

[NfNitLoop]

https://developer.1password.com/docs/ssh/agent/security/

[NfNitLoop]

It's looking like passkeys might work:

1. They usually implement Ed25519 signatures
2. They can sign an arbitrary payload Nope. The signature is not over just the challenge, but some other pieces of information, too.
3. They can be created without the browser or server having to store the public key / user ID. (residentKey="required") Nope. The public key is only able to be fetched when the passkey is first created. Server-side implementations must store it to be able to verify any passkey signatures.

With these, I can probably use this API for signing content instead of making browser plugins for FireFox/Safari/Chrome. 🤞

Things I still need to verify:

• Do any passkey implementations allow importing/exporting private keys? Would be nice to be able to continue to use my existing keys. 😬
• Can we create a key that can be used on different hosts? If I have multiple keys, and I go to a different server, I should be able to "log in" there.
  • A: No, the rp.id is based off of the host that created the passkey, and can not be used on other hosts.

[NfNitLoop]

⚠ Also, there's a big problem if passkeys can sign arbitrary payloads. You could go to a web site, and use its "log in" workflow. The payload it sends you to sign could be an Item, the body of which you haven't agreed to sign.

This probably isn't a use case the web pkey APIs are designed to protect against. You're only meant to sign things for a single "relying party" (rp) to authenticate with them. It's likely not expected that your signature will be used to continue to authenticate a piece of content indefinitely.

[NfNitLoop]

Closing this as "won't do". ("Can't do"? 😆)

Blockers:

• Passkeys cannot be used to sign arbitrary payloads, which would be needed to sign Items.
• Passkeys only provide their public key once on creation. The user would still need to provide their public key.
• Passkeys can't be used on arbitrary servers. Creating a passkey locks it to that server.
• Passkeys cannot be exported from password managers, so users can't even manually reuse them on another client / server.
• Passkeys can't be imported into password managers, so any UI that relies on them would make old keys unusable.
• Validating the contents of what you're signing is an important verification step. Passkeys used for user authentication are not designed for that workflow.