What I'm scared of is some sort of cryptography becoming the death of the open web. Baking keys into your hardware and doing remote attestation. It doesn't tie you to a real-world identity except that you're locked into using an unrooted (DRM'd) device for using online services like a normal person
If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device.
But uploading government IDs to a (few) central point(s) of trust will create outcry about privacy whereas hidden cryptography baked into normal people's devices with Google Play Services and Apple Something and just working in the background goes unnoticed until everyone (the 99% who aren't on a custom ROM) already experienced the benefits
For webauthn I know it can be all software, I've used virtual devices for testing a server implementation's security, but I vaguely remember there also being a mode that requires having keys signed by a hardware vendor. Just not sure anymore if that was webauthn or something else related to authentication
alt Hacker News
What I'm scared of is some sort of cryptography becoming the death of the open web. Baking keys into your hardware and doing remote attestation. It doesn't tie you to a real-world identity except that you're locked into using an unrooted (DRM'd) device for using online services like a normal person
If I had to choose between two evils, I'd rather upload my passport to cloudflare and be able to get anonymous tokens from their API (RSA blind signatures or whatever) to prove I'm a real person and browse the web with Firefox and no closed source components, than be forced into hardware attestation and a locked-down device. But uploading government IDs to a (few) central point(s) of trust will create outcry about privacy whereas hidden cryptography baked into normal people's devices with Google Play Services and Apple Something and just working in the background goes unnoticed until everyone (the 99% who aren't on a custom ROM) already experienced the benefits
For webauthn I know it can be all software, I've used virtual devices for testing a server implementation's security, but I vaguely remember there also being a mode that requires having keys signed by a hardware vendor. Just not sure anymore if that was webauthn or something else related to authentication