On Sun, Sep 4 2022 at 04:48:10 PM +0000, Gary Buhrmaster
<gary.buhrmas...@gmail.com> wrote:
However, last this was discussed, the Fedora AAA system(s)
did not (yet?) support the full fido2/webauthn/passkey
functionality, so at this time such full integration is just a
dream(*).
You don't have to be a provenpackager to be able to do serious damage;
you just need to maintain one package that's installed by a
sufficiently-interesting quantity of Fedora users. In the long run, we
should be moving to require WebAuthn for all Fedora
authentication-related purposes, since it's unphishable. Last year I
entered my GitHub password into a phishing page that was proxying the
real GitHub... if the evil page had gone to just slightly more effort,
it could have easily intercepted a simple TOTP/HOTP challenge. This is
not possible with WebAuthn, which I would say actually is pretty much
equivalent to a security magic bullet.
That said, I say this keenly aware that WebKitGTK doesn't support
WebAuthn yet, and I would be interacting with Fedora packaging a lot
less if I couldn't use my normal web browser. And anybody who isn't
willing to buy a security key wouldn't be able to contribute to Fedora
at all.
Michael
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
