It works! Beyond passkeys, I can encrypt a file in the browser with typage and WebAuthn, and then decrypt it with the same YubiKey from the CLI with age-plugin-fido2prf. README: github.com/FiloSottile/ty… PR: github.com/FiloSottile/ty… - ThreadSky

filippo.abyssdomain.expert • 71 days ago

It works! Beyond passkeys, I can encrypt a file in the browser with typage and WebAuthn, and then decrypt it with the same YubiKey from the CLI with age-plugin-fido2prf.

README: https://github.com/FiloSottile/typage/blob/push-xstnltwzumvw/README.md#encrypt-and-decrypt-a-file-with-a-passkey
PR: https://github.com/FiloSottile/typage/pull/28

Comments

burdiyan.com•52 days ago

Given that PRF extension is very recent and not widely available, I was thinking about workarounds. I wonder if what I came up with is insane or fine :)

…

burdiyan.com•52 days ago

If my passkeys are never sent to any servers and never exposed anywhere at all—everything is client-side, what if I derive an encryption key from some combination of credential ID, RP ID, and user ID (which would be some random 128/256 bit salt generated when passkey was created)?

boscolo.co•71 days ago

This is awesome!

But also, it is important for the world to understand that using this Passkey feature means creating a significant dependency on Apple/Google to protect the keys used for decryption.

The news recently about Apple caving to the UK to let them see these keys is concerning.

filippo.abyssdomain.expert•71 days ago

No, iCloud Keychain is end-to-end encrypted even without Advanced Data Protection.

boscolo.co•69 days ago

Correct, and I am not trying to stir up needless FUD against Apple.

But, Apple built things with a way to allow user recovery of the iCloud Keychain. It's not inconceivable for a Government to mandate changes that would allow them to gain access to these too. https://dub.sh/dHHRrip

Need to stay vigilant!

boscolo.co•69 days ago

Ooops, wrong url for the apple link
https://support.apple.com/guide/security/escrow-security-for-icloud-keychain-sec3e341e75d/1/web/1

jonesv.bsky.social•70 days ago

How does age-plugin-fido2prf compare with age-plugin-yubikey? Is the former replacing the latter?

filippo.abyssdomain.expert•70 days ago

The former only does symmetric encryption (requiring a touch to encrypt, too), but works with all FIDO2 token, not only PIV, and can interoperate with the browser.

arianvp.me•60 days ago

I really really want a `crypto/webauthn` package in go stdlib. would love your feedback in the discussion: https://github.com/golang/go/issues/71095#issuecomment-2698839007

filippo.abyssdomain.expert•60 days ago

Oooh I’ve actually been thinking a bunch about this, didn’t realize there’s a proposal, thank you.

koolooloo.bsky.social•71 days ago

Cool. Which use cases do you see for this ?

Comments

Posting Rules

Reply