Also, the "ECDSA Public Key Recovery" picture makes me suspect this is AI slop.
I did use AI for the ECDSA public key recovery diagram, because I wasn't about to spend hours hand rolling that in Lunacy. It's correct in broad strokes, and anyone who wants to understand it more deeply can just look at the code, imo.
Why not just use those?
Edit: that's what I get for not reading far enough -- the article addresses this, though I would quibble with the confident assertion that the extensions are not available in major browsers, given I worked for a startup literal years ago which built major functionality on top of these extensions, which were available in (at least) all relevant mobile browsers.
Ironically, you could make a pollyfill for the PRF functionality with this.
https://caniuse.com/mdn-api_credentialscontainer_get_publick...
https://caniuse.com/mdn-api_credentialscontainer_get_publick...
Apologies for the brash statement earlier; that was wrong of me.
The inability to use a passkey for the purposes of both authentication and secret storage (at least, without building non-trivial additional cryptographic plumbing) seems to me a reason to just use and push for the continued adoption and acceleration of the purpose-built extensions, instead of reusing a _public_ key as private material.
when the entire point of the token is to guard the private key, and make the public key accessible
"virtually" is the problem
for webauthn the public key isn't revealed to everyone for privacy reasons, not cryptographic reasons
the webauthn API is also only part of the cryptosystem
the platform authenticator (yubikey, windows hello, password manager, whatever) may have an API to list stored public keys without any authentication at all
because they were never intended to be protected
there is no much thing as a "passkey authenticator"
there are "platform authenticator" and "roaming authenticators"
> they don't even have internal APIs for it.
CTAP has an enumerate credentials command, which returns, among other things:
> publicKey (0x08): public key of the credential in COSE_Key format
https://fidoalliance.org/specs/fido-v2.3-rd-20251023/fido-cl...
> This holds true for all known implementations, as it is a core principle of the system design.
oh dear
... there's a link in the comment
> I'm not aware of any command for fetch or enumeration of public keys in CTAP (was rather confident it doesn't provide any such thing).
how do you think the discoverable key credential management dialogs work?
yes, there is no way to enumerate the public key in the webauthn api, but this is a property of the webauthn api only
the passkey cryptosystem consists of more than the webauthn api
there's the platform and roaming authenticators too
and you can't ignore them because they are the part of the passkeys cryptosystem that actually store the key material
and I have shown you, it is common for the layer below webauthn to support enumeration of the resident public keys
because... it's useful!
million dollar HSMs let you enumerate & see public keys, protected Java keystores let you enumerate & see the public keys, the windows certificate manager lets you enumerate & see public keys
(because surely no-one would be daft enough to try to build a secret key scheme out of the public keys of a pair?)
the point of the authenticator is that you don't need need to trust the platform, the operating system the browser or anything other than the authenticator
the authenticators job is to secure the private key, but it will happily serve up the public key to "random callers"
the browser/webauthn are not special, it's just another untrusted "random caller" from the authenticator's perspective
webauthn will not allow the public key out, but the authenticator will
> If you think any of those components/actors are not adhering to fundamental boundaries/limitations, like exposure of sensitive credential material to random callers on the device, it's a more far reaching indictment of passkeys in general.
there's nothing cryptographically sensitive about the public key
hence the name: PUBLIC key
yes? one of the main points of passkeys is that if your device is compromised: all your accounts aren't.
with your system, they are
> In reality, only the platform/OS and highly trusted actors/components that are already within the existing trust model
no, they aren't, if they were, the HSM/secure enclave wouldn't be needed at all
I've entertained this nonsense for almost 2 hours now, I'm done
the fact is, if the public key gets out, then your system is compromised
and I have shown you most (df not all) roaming authenticators have a way to enumerate public keys
as does every software HSM I've ever interacted with
A cryptographic seed is one of the most sensitive things. And here you choose to expose it to a website (even though it was specifically generated for that website). This is not something you do for authentication. The only reason to do this is to have javascript/wasm on a website perform sensitive cryptographic operations for you. You should never be doing this.
Applications such as password managers can already integrate entropy from a passkey to encrypt their databases using the Challenge-Response protocol: https://docs.yubico.com/yesdk/users-manual/application-otp/c...
Error: The operation either timed out or was not allowed. See: https://www.w3.org/TR/webauthn-2/#sctn-privacy-consideration....
On Android
csuwldcat•1mo ago
I’ll leave the details to the blog post, but here’s a short list of what PassSeeds enable:
- Need a user-custodied BLS12-381 key to engage in more advanced ZKP Verifiable Credential / proofing flows? Say less, you're covered.
- Want to create a petty cash Web wallet for Bitcoin transactions that relies on a secp256k1 key? Ask and ye shall receive.
- How about keys for decentralized social media identifiers and post signing that are of a type other than P-256? No problem, I got you!
phillipseamore•1mo ago
csuwldcat•1mo ago
gcr•1mo ago
fladrif•1mo ago
gurjeet•1mo ago
On a tangent, in the process I learnt that Firefox (at least on desktop) now has an "AI preview" feature where if you long-press on a URL, it brings up the pop-up. The first time, it notifies that the "AI" processing is local-only to preserve privacy.
[1]: Screenshot 2026-01-06 at 6.33.27 PM.png https://drive.google.com/file/d/15z--Oimct30QLuxR03nxMz9H_3L...
arjvik•1mo ago
Would KDF(deterministic_sign(“well-known message”)) not also provide valid entropy?
Is it just impossible to force a nonce for a deterministic signature?
MattPalmer1086•1mo ago
In general, using a key for a purpose it was not designed for gets you into trouble. Treating a public key as private key seed material is almost certainly going to be a problem. Systems are just not designed to keep public keys secret, even if webauth does.
csuwldcat•1mo ago
MattPalmer1086•1mo ago