alt Hacker NewsThere's also the specific case of synced passkeys, which aren't exposed to CTAP management APIs for external parties, only to the OS/platform itself. You seem tied to a narrative where a user can install a native app that gets permission to call core OS/platform APIs that let the app get all the public keys of passkeys on the device, but no such permissions/APIs exist for apps, and providing them would be in explicit violation of the fundamental security model. In reality, only the platform/OS and highly trusted actors/components that are already within the existing trust model have such access for internal purposes, and if that's not a safe assumption, it would have broader implications beyond this concern.
> You seem tied to a narrative where a user can install a native app that gets permission to call core OS/platform APIs that let the app get all the public keys of passkeys on the device
yes? one of the main points of passkeys is that if your device is compromised: all your accounts aren't.
with your system, they are
> In reality, only the platform/OS and highly trusted actors/components that are already within the existing trust model
no, they aren't, if they were, the HSM/secure enclave wouldn't be needed at all
I've entertained this nonsense for almost 2 hours now, I'm done
the fact is, if the public key gets out, then your system is compromised
and I have shown you most (df not all) roaming authenticators have a way to enumerate public keys
as does every software HSM I've ever interacted with