Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The linked blog post explains it. The spec can be implemented by open source software, but the upcoming (or now current?) update to the spec enables attestation, that is, it allows the auth provider to cryptographically verify which implementation the client is using. Under this scheme, auth providers can simply choose to no longer support open source implementations like KeePassXC, and since the spec authors have already claimed that KeePassXC is "non-compliant" because it doesn't ask for a PIN on every auth request, it seems likely that that would happen.


Yes but it seems like KeyPassXC could just ask for PIN on every auth request to satisfy that requirement, without having to close their source.


What if I don't want KeyPassXC to ask me for a PIN every time? I can modify its source code and nobody can stop me.


Then your version of KeyPass will not be signed and won't pass TPM checks and so the banking app will refuse to run unless you open the signed version?


Which leads us back full circle to "Passkeys are incompatible with open-source software" from https://news.ycombinator.com/item?id=45090297


Attestation is dead outside of corporate environments. Apple will not implement it except through MDM.


Apple will implement it.


Source? That is surprising news.


Isn't PAT apple implementing attestation for everyone?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: