undefined | Better HN

0 pointsblibble2mo ago0 comments

> they are treated like a virtually secret value by the platform

"virtually" is the problem

for webauthn the public key isn't revealed to everyone for privacy reasons, not cryptographic reasons

the webauthn API is also only part of the cryptosystem

the platform authenticator (yubikey, windows hello, password manager, whatever) may have an API to list stored public keys without any authentication at all

because they were never intended to be protected

0 comments

csuwldcat2mo ago

It's a deliberate architectural decision that passkey authenticators not allow any retrieval or enumeration of key pairs - they don't even have internal APIs for it. This holds true for all known implementations, as it is a core principle of the system design.

blibbleOP2mo ago

> it's a deliberate architectural decision that passkey authenticators not allow any retrieval or enumeration of key pairs

there is no much thing as a "passkey authenticator"

there are "platform authenticator" and "roaming authenticators"

> they don't even have internal APIs for it.

CTAP has an enumerate credentials command, which returns, among other things:

> publicKey (0x08): public key of the credential in COSE_Key format

https://fidoalliance.org/specs/fido-v2.3-rd-20251023/fido-cl...

> This holds true for all known implementations, as it is a core principle of the system design.

oh dear

csuwldcat2mo ago

The underlying CTAP implementations are only used by the platform to facilitate core activities, they are not used to expose key pairs to external parties. Please link to where any API offers up public keys to external userland actors, and any use of said APIs beyond core credential management. If this is assumed insecure/exposed, it would mean the system and its guarantees cannot be trusted as advertised, given both keys are supposed to be handled as a secure, opaque bundle, disclosed to no one beyond the bound origin at create time.

1 more reply

csuwldcat2mo ago

No need for the "oh dear"-ing before you provide evidence. I'm not aware of any command for fetch or enumeration of public keys in CTAP (was rather confident it doesn't provide any such thing). Care to link to what you were referring to?

1 more reply

j / k navigate · click thread line to collapse

0 pointsblibble2mo ago0 comments

> they are treated like a virtually secret value by the platform

"virtually" is the problem

for webauthn the public key isn't revealed to everyone for privacy reasons, not cryptographic reasons

the webauthn API is also only part of the cryptosystem

the platform authenticator (yubikey, windows hello, password manager, whatever) may have an API to list stored public keys without any authentication at all

because they were never intended to be protected

0 comments

csuwldcat2mo ago

blibbleOP2mo ago

> it's a deliberate architectural decision that passkey authenticators not allow any retrieval or enumeration of key pairs

there is no much thing as a "passkey authenticator"

there are "platform authenticator" and "roaming authenticators"

> they don't even have internal APIs for it.

CTAP has an enumerate credentials command, which returns, among other things:

> publicKey (0x08): public key of the credential in COSE_Key format

https://fidoalliance.org/specs/fido-v2.3-rd-20251023/fido-cl...

> This holds true for all known implementations, as it is a core principle of the system design.

oh dear

csuwldcat2mo ago

1 more reply

csuwldcat2mo ago

1 more reply

j / k navigate · click thread line to collapse