Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

U2F has nothing to do with WebAuthn. You bringing it up is literal whataboutism. We aren’t talking about it, we are talking about a completely different technology.

What about WebAuthn, explicitly, is complicated for you to understand? What about it is not a web standard that can be implemented in many different ways?

Furthermore, HTTP 1.1 is 174 pages, yet Firefox was able to implement it. Standards are, generally speaking, technical documents. Because that is what guarantees interoperability, that thing you are so vehemently defending.

Chrome passkeys are WebAuthn. Period. Fin. End of story. There is no separate implementation, they are the same thing. It is a standard that anyone can implement on either side that is inter compatible with whatever implementation is used. What part of this do you not understand?



> It is a standard that anyone can implement

WebAuthn supports attestation of a key storage device. How are you going to persuade site owners to trust your self-signed attestation certificate?


Ask the folks over at SoloKeys, who are both open source and FIDO certified.

It also supports it. Whether it’s enforced is a site owner’s decision, as are the trusted roots they use.

If a site owner wants to limit to only a single type of authenticator, they can already do that by only trusting its key, so I don’t see how that’s relevant to the topic of implementing the standard.


I think they think that Google/Apple/Microsoft are deliberately creating dense standards so that nobody else has the technical means to implement them. The evidence presented was that one of these (U2F?) took a long time for Firefox to implement. Just a little note to dispel all this BS in one swoop: Firefox was the first browser to implement WebAuthn. https://blog.mozilla.org/blog/2018/05/09/firefox-gets-down-t...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: