nickray
- Karma
- 140
- Created
- September 30, 2011 (14y ago)
- Submissions
- 0
https://n.stalder.io
[ my public key: https://keybase.io/nickray; my proof: https://keybase.io/nickray/sigs/4fEWFEJV7a5cr1M1xZCsamtaXpi0tJcOkohynytYCxk ]
Co-founder of Solo: the first open-source FIDO2 security key - https://solokeys.com
Google's proposal for filtering: https://google.aip.dev/160 Specifically, https://google.aip.dev/assets/misc/ebnf-filtering.txt which is a modification of their common expression language…
How do you map KMU Konten to ledger accounts (can you rollup?), and do you automate VAT accounting?
Nonnegative always includes zero, unless the author had muddled thinking themselves. Since positive is >0 and negative is <0, their negations are nonpositive for <=0 and nonnegative for >=0.
I see your point too, and we're looking forward to a world in which low-power (to enable NFC) open source chips with security features exist. For instance, https://tropicsquare.com is a project that is working towards…
Website can distinguish via the optional attestation key. In terms of features, CTAP v2.1 (https://fidoalliance.org/specs/fido2/) is still draft only, but yes both v1 and v2 keys support hmac-secret and credential…
No, they cannot. This is an explicit design goal of FIDO (https://fidoalliance.org/specs/fido-security-requirements/fi...). The actual public key used for logging in to a specific site is completely random. Optionally,…
We hope and think that PIV can replace all the practical use cases for PGP. Specifically among those mentioned, `age` for file encryption, and either FIDO resident keys with hmac-secret for password managers, or…
Anybody have an actual quote of Burnside's doubt? Article etc.
Keybase's "Crypto tools" tab can do this, with "known destination" determined via social proof. https://keys.pub is a re-implementation of this use case without the messenger/cryptocurrency baggage that some dislike…
First, that's a limitation of git. Second, it's easy to fake PGP: https://boats.gitlab.io/blog/post/signing-commits-without-gp... Third, we're adding support to SoloKeys to do this using a hardware token:…
As Stavros mentions, you can, and if you feel qualified, you should manage your own keys. Be that with some software authenticator you deem safe or write yourself, or with e.g. our keys that are open source, so you can…
Yes, WebAuthn is about getting rid of passwords. They're a bad idea, for most people, in most situations.
In FIDO-speak, "platform" authenticators are your laptop or phone, using their contained secure storage, vs "roaming" authnrs like our SoloKeys. Most people assume that the former will be the main way to use WebAuthn.…
The point is that ssh keys lying around on your laptop aren't the greatest idea either. Where is the root of trust? The password you type to terminal if you encrypt them? FIDO2 starts with the idea of safe defaults,…
SoloKeys person here ;) You can implement software authenticators (listening on local USB port), I imagine some password manager people will do so eventually, or have a direct way to hook into requests. Krypton did this…
There's an ascending signature counter that's intended to prevent cloned devices (replay attacks are prevented seperately with server generated challenge). One way around it is clone (backup key) having very high…
As I'm currently working on possible options to expose on-device keys and cryptography for our open source FIDO2 key (SoloKeys) beyond the FIDO use case, I'd be curious about opinions on just exposing and using the…
You register more than one key, and use your backup. If the site lets you in without one of the keys you registered, it's a security theater :)
privacy.
https://login.swissid.ch does this too: disallow password managers from filling out the login. Upon asking them to fix: "Autofill completion is not allowed by us for security reasons. First, if that's the case, if…
Is there any English translation of the original? Would be curious to see the actual recipes!
It implements FIDO2: https://www.yubico.com/2018/05/what-is-fido2/
Should? That does mean: purchasing a bunch of tokens, each of which could be lost, and registering them all. I don't think online security has normative/prescriptive rules, just tradeoffs :)
Yes :) Personally, I would just start replacing credentials upon loss in descending order of importance.
I am considering adding this to my European distribution of U2F Zero, but the problem here is that as the vendor I then know your secret key. As mentioned in another comment, the uncloneability of Yubikeys is a feature…