zlacker

[parent] [thread] 8 comments
1. coldpi+(OP)[view] [source] 2025-07-03 19:27:46
Thanks for the reply. So in theory, I could get this MDOC file and store it on my desktop computer, and use an open-source library whose behavior I can verify, to provide the proof to the website via my web browser. Yeah? This sounds good to me.
replies(1): >>Matteo+s
2. Matteo+s[view] [source] 2025-07-03 19:31:43
>>coldpi+(OP)
No. Using the MDOC requires a signature from a hardware security key in the phone, and a lot of the complexity is how to avoid leaking the private key, which would identify you.
replies(1): >>coldpi+11
◧◩
3. coldpi+11[view] [source] [discussion] 2025-07-03 19:35:34
>>Matteo+s
Well, that's not great. My phone is closed-source and its software is provided by an ad company. I do not trust it to always behave in my interests.
replies(1): >>Matteo+73
◧◩◪
4. Matteo+73[view] [source] [discussion] 2025-07-03 19:49:59
>>coldpi+11
An alternative would be some secure chip in a credit-card size plastic document, but nobody seems to like that idea. We (Google) don't make these choices.
replies(1): >>coldpi+W3
◧◩◪◨
5. coldpi+W3[view] [source] [discussion] 2025-07-03 19:55:35
>>Matteo+73
Another approach could be for a component in the protocol that I do trust (eg an open source web browser) to serve as an intermediary, providing only the information required to each of the components that I don't trust (wallet, website). The wallet does not need to know who is requesting the proof, right?
replies(1): >>Matteo+W5
◧◩◪◨⬒
6. Matteo+W5[view] [source] [discussion] 2025-07-03 20:12:00
>>coldpi+W3
I hear you. The main problem is how to prevent you from giving your document to somebody else, and things have converged on certified smartphone with security key plus biometrics.
replies(1): >>coldpi+V6
◧◩◪◨⬒⬓
7. coldpi+V6[view] [source] [discussion] 2025-07-03 20:18:32
>>Matteo+W5
Yeah, Passkeys are doing the same thing, expecting users to just blindly trust American Big Tech companies. It's distressing that no one working on these protocols considers the developers of the software that implements the protocol to be a party in the protocol. What are the wallet provider's interests in this exchange? How can the user be protected from the wallet provider? Seems no one asks these questions :(
replies(1): >>AgentM+oJ
◧◩◪◨⬒⬓⬔
8. AgentM+oJ[view] [source] [discussion] 2025-07-04 04:47:41
>>coldpi+V6
Anyone can implement passkeys. The feature where passkeys can be made to attest to the hardware provider is optional and no site I've used requires it. Firefox defaults to not allowing passkeys to attest to the hardware unless you click through a permission dialog.
replies(1): >>coldpi+Rp1
◧◩◪◨⬒⬓⬔⧯
9. coldpi+Rp1[view] [source] [discussion] 2025-07-04 12:11:04
>>AgentM+oJ
I don't want to get into a Passkey derail, but no. The Passkey spec requires clients to handle the user's own data in certain ways, and the Passkey spec authors threaten clients that allow users to manage their own data with client bans.
[go to top]