... I'm concerned about a kernel side interface that's not been treated with enough care, and I'm concerned that use cases where the physically logged in user does not own the machine are getting lost
maybe all of these are worth smashing? if so, let's call that out as a goal
Conversation
but the fact that the WebUSB folks immediately yolo'd themselves into breaking the FIDO security model does not speak well of the amount of prior planning that's been put into changing the longstanding assumptions about what can access USB devices
ref:
1
1
It's already broken for a compromised device. When I use FIDO login with my Trezor Model T, it shows me the site identity on the touchscreen and I have to allow it there. The security key design is already broken if it relies on the OS / browser not being compromised.
3
historically users are really really bad at comparing things on two different screens
IMO the FIDO model is broken in all sorts of ways, so this might just be an artifact of that
1
1
In general, I don't think an HSM without secure input and output can actually provide as much as people expect from them.
For example, a hardware wallet for Bitcoin with no display lets an attacker send a million dollars to themselves when you confirm buying a pizza with it.
2
1
1
So, a proper hardware wallet has a screen and secure input. Ideally, it has a touchscreen or physical keyboard rather than just a few buttons.
HSM design in the Bitcoin world is so much more advanced in terms of the workflow and threat model of a traditional HSM. Find it weird.
2
1
Like being able to back up your seed on paper or with something like cryptosteel.com/product/crypto via it being displayed on the screen once when initializing it. If my Trezor Model T dies, I can initialize a new one with the seed and set the counter to UTC time and I can still login.
1
2
cc - we should do BIP39 recovery keys for ArmorLock so people can save them via the Cryptosteel Cassette (see above)
2
4
I proposed using BIP39 seeds when I came up with the concept that was implemented as github.com/seedvault-app/ which is the backup service implementation we include in GrapheneOS. I wasn't involved in development but the original developer based it on my concept for us to use it.
2
1
localization was one of our biggest concerns, honestly. we can't ship a feature like this without localizing it into lots of languages, and we don't have the expertise around for designing the wordlist for every language we support
1
There are already official ones: github.com/bitcoin/bips/b. It looks like translations are still being added.
thanks, I'll keep this bookmarked and hopefully it'll be expanded over time!
2