Even with the current flimsy "What about iPhones?" defense against attestation, is there anything stopping say Microsoft from just forcing you to install a different app to use Microsoft services?
Since you keep posting this link, I'll just keep saying it: there is no credential manager attestation in the consumer synced passkey ecosystem. Period. There is no way to build and allowlist, by design. The consumer synced passkey ecosystem is open.
Strawman? We are talking about this link, right, the one that says:
> I've already heard rumblings that KeepassXC is likely to be featured in a few industry presentations that highlight security challenges with passkey providers, the need for functional and security certification, and the lack of identifying passkey provider attestation (which would allow RPs to block you, and something that I have previously rallied against but rethinking as of late because of these situations).
> The reason we're having a conversation about providers being blocked is because the FIDO Alliance is considering extending attestation to cover roaming keys.
> From this conversation it sounds like the FIDO Alliance is leaning towards making it possible for services to block roaming keys from specific providers.
Yes, read the quotes you took again. Attestation is not a thing currently. There is legitimate discussion about how to handle shitty password managers. If LastPass shits the bed again, it would be great to have a mechanism for others to block it or at least know that due to a major incident, keys from that tool are week. Debian OpenSSL keys were vulnerable for a long time and being able to know and alert or block private keys generated on a Debian machine is reasonable if not desirable. If KeepassXC is insecure or promote insecure practices who's fault is that and what do you suggest we do?
The entire issue is about doing the minimum possible of not exporting it in plaintext. Nothing is stopping you from decrypting it and posting it on your Twitter if you so wish. Just don't have the password manager encourage bad practices. How it that unreasonable?
> If LastPass shits the bed again, it would be great to have a mechanism for others to block it
And by the way, if and when something like that does happen, what's the user supposed to do if they suddenly find their passkey provider has been blocked?
Yes, we've seen you repeat that we have to read it again. I reread this morning before the post, but really just found more things supporting my position.
> To be very honest here, you risk having KeePassXC blocked by relying parties (similar to #10406).
From the linked https://github.com/keepassxreboot/keepassxc/issues/10406
> | no signed stamp of approval from on high
> see above. Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
> | RP's blocking arbitrary AAGUIDs doesn't seem like a thing that's going to happen or that can even make a difference
> It does happen and will continue to happen because of non-spec compliant implementations and authenticators with poor security posture.
Is your argument that despite being doused with gasoline I can't complain because I'm not currently on fire?
So you’re just not gonna respond to any of the points explaining your straw man. Yeah you should read it again, and read my explanation again and let me know if you have any questions or responses. Dont douse yourself in gasoline and you won’t have to worry about being on fire.
(You have every right do douse yourself in gasoline. No one is taking that way from you. Just say away from everyone else)
Maybe you can let us know what definition of "strawman" you are using in this context?
KeePassXC is at risk of being blocked for making it easy to back up the passkeys. I don't see where that's been disproven or explained, other than saying "well attestation isn't enforced yet" -- that is, the metaphorical gasoline (provider AAGUIDs) hasn't yet been ignited (blocking of provider AAGUIDs)
> The entire issue is about doing the minimum possible of not exporting it in plaintext. Nothing is stopping you from decrypting it and posting it on your Twitter if you so wish. Just don't have the password manager encourage bad practices.
I don't disagree with this in principle, but it does warn you and realistically, what is the threat model here? It seems more like a defense-in-depth measure rather than a 5-alarm fire worthy of threatening to blacklist a provider. Maybe focus energy instead on this? (3+ year workstream now I guess?)
>> Sounds like the minimal export standard for portability needs to be defined as well.
> This is all part of the 2+ year workstream.
--
The more I get exposed to this topic, the less I'm convinced it was designed around people in the real world, e.g. https://news.ycombinator.com/item?id=44821601. Sure is convenient that it's so so easy to get locked into a particular provider, though!
The important part is the GDP is now increased because of the cost of energy and additional hardware needed expand and then compress the original data. Think of the economic growth all these new hassles provide!
> This is only partially true. Nothing in the spec, all up to implementers. At least KeypassXC sure provides a way to access your data: https://github.com/keepassxreboot/keepassxc/issues/10407. Other software behavior may vary.
This thread is one of the guys from FIDO threatening to blacklist keypass for doing just that, using the spec'd passkey attestation feature as the tool to do so. Just because the attestation feature isn't widely used as a weapon just this second doesn't mean that is not the intended endgame, in fact I'd argue the hand was tipped in that very thread.
They're probably just trying to not get their implementation blackballed with the attestation feature like one of the FIDO devs immediately threatened to do to keepass: https://github.com/keepassxreboot/keepassxc/issues/10407
I think the dance is all for naught though, they'll end up locked out as non-standard once uptake is high enough IMO.
Can't comment on Google specifically but hidden scrollbars mean I often don't realize a dialog has scroll bars until I reach out into the dark edges to find what I hope is there. Microsoft will even harness this as a dark pattern to hide options they don't want you to choose.
Perhaps your dad simply expected to scrollbars to be visible like they initially were.
IIRC the rule Mastercard cited was so vague that trying to workaround it almost seemed potentially pointless. It was basically a blanket "we think it makes MasterCard look bad so we end our relationship". Anyway, debit cards are still Visa/mastercard so using them as cash has the same problem. I was thinking they could just use Steam gift cards but since those are often themselves purchased in stores or with credit cards it seems to just push the problem a little further away.
I believe Steam did support bitcoin at one point but decided to end usage over because the price fluctuations made it to unpredictable on their end. Maybe the landscape has changed though.
>Steam did support bitcoin at one point but decided to end usage because the price fluctuations made it to unpredictable on their end.
Valve knew that there would be price fluctuations. Everyone knew that, and knew how to deal with it. They just priced the games in dollars, with a conversion to the Bitcoin value at the moment of sale.
But what Valve did NOT expect was that the Bitcoin blockchain would suddenly grow so popular and congested (which was a result of massive publicity from events such as Steam accepting Bitcoin). So suddenly, to Valve's surprise, the average fees to be sure that a payment would soon be processed on the blockchain fluctuated wildly upwards during that period, up to tens of dollars. The Blockchain congestion and high fees were exacerbated by technical and ideological arguments about how the Bitcoin network should function. The "small block" faction won, but Bitcoin quickly became a laughing stock as a method of payment, because second layer solutions to the network congestion weren't ready.
The high fees were a huge problem in themselves for Steam customers, and there were other support issues caused by Steam customer difficulty understanding how to use Bitcoin (and who can blame them?). Customers were angry because they had paid for a game, but their payments were delayed for days unless they paid an indeterminate Blockchain transaction fee which might be more than cost of the game they were trying to buy.
After a few months of that chaos, Steam dropped Bitcoin. So did many other retailers.
Ironic, Bitcoin payments work much better now and fees are lower, but it lost of a lot of goodwill from retailers like Steam during that period, and most of them have not come back.
>Are you sure that Bitcoin payments work much better because the amount of payments has dissipated?
I don't know. On the base layer, payments are all just transactions on the Blockchain, like any other. So it's not easy to see whether a transaction is a payment or an "investor" speculating, or something else. Then there's also other layers, like Lightning.
My guess is the relative percentage of retail Bitcoin payments, compared to speculative transactions, is now lower than 2017, when Steam accepted Bitcoin. I don't know if absolute amount of payments has reduced. Maybe?
You could look at historical charts of average Bitcoin fees[0], which gives you an idea when retail Bitcoin payments are practical, and when the fees are too damn high. Fees often got above $4, sometimes much higher, in 2024 for example, which would unacceptable for something like buying a game from Steam. Though, still, that doesn't show what impact Lighting is having on retail payments.
It's not about gaining a way to handle transactions without MasterCard. It's about losing MasterCard (or any other third party intermediary that follows their rules), and all of the accompanying customers who are accustomed to paying online with a credit card instead of going to a corner store and buying a Steam Card using cash.
It would take a lot of effort for Mastercard/Visa to stop physical retailers from selling Steam gift cards. Beyond gift cards, there's also systems such as PaySafeCard, which lets you pay with cash at a physical store and spend it online at any merchant who accepts it using a code.
And for crypto they can just accept Monero. Steam accepted Bitcoin years ago, but stopped due to high fees and network congestion. Monero fixes that + makes it private like cash, and has been the de facto cryptocurrency for years now.[1]
