upvote

points

by goku1219 hours ago |
comments
upvoteby cyberax18 hours ago|
[-]
Passkeys ARE self-signed certs. You can store their private key on a hardware token, but you don't have to.

Their only difference is the automated provisioning.

reply
upvoteby goku1217 hours ago|
parent|
[-]
> Passkeys ARE self-signed certs.

So they took something that works well and created a bad UX around it, while ignoring the working, yet languishing UI/UX that was already around?

reply
upvoteby lxgr16 hours ago|
parent|
next
[-]
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.

reply
upvoteby goku1214 hours ago|
parent|
[-]
Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not.

Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers.

reply
upvoteby lxgr13 hours ago|
parent|
[-]
TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc.

Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval.

reply
upvoteby lxgr16 hours ago|
parent|
prev|
next
[-]
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.

Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.

reply
upvoteby cyberax17 hours ago|
parent|
prev|
[-]
Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.

If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.

reply
upvoteby goku1217 hours ago|
parent|
next
[-]
Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it?
reply
upvoteby 0x015 hours ago|
parent|
prev|
[-]
> "they can't be provisioned by the website itself."

It's funny, we used to have a html tag that would exactly that: <keygen />

reply