It’s just bullshit that the ‘industry’ is trying to push because ‘security’, catch me dead before I give up access to my private keys to some faceless multibillion corpo
The number of times I’ve seen people link to this thread while completely misunderstanding the context of it drives me nuts. The issue isn’t being able to export keys, it’s that KeepassXC was making it trivial to export keys in plaintext with no user warning/verification, which fundamentally undermines the biggest security advantage of passkeys - phishing resistance. In other words, if users can be easily talked through exporting their keys via a simple in-app flow that gives them no warning about the danger of what they’re doing, then they will do that and be scammed horribly by it.
The person who raised the issue was asking KeepasXC to come up with a better solution for exporting keys - originally he asked them to wait for the now standardized process that every passkey provider uses, but then they settled on showing the user an explicit warning about the danger of plaintext exports in the meantime.
If you choose to read the most hostile and uncharitable subtext into every word a person writes in public, you can misunderstand what he’s saying. Otherwise, this is a pretty cut-and-dry example of a person genuinely trying to support the interests of end users.
Obligatory github drama https://github.com/keepassxreboot/keepassxc/issues/10407
It’s just bullshit that the ‘industry’ is trying to push because ‘security’, catch me dead before I give up access to my private keys to some faceless multibillion corpo
The number of times I’ve seen people link to this thread while completely misunderstanding the context of it drives me nuts. The issue isn’t being able to export keys, it’s that KeepassXC was making it trivial to export keys in plaintext with no user warning/verification, which fundamentally undermines the biggest security advantage of passkeys - phishing resistance. In other words, if users can be easily talked through exporting their keys via a simple in-app flow that gives them no warning about the danger of what they’re doing, then they will do that and be scammed horribly by it.
The person who raised the issue was asking KeepasXC to come up with a better solution for exporting keys - originally he asked them to wait for the now standardized process that every passkey provider uses, but then they settled on showing the user an explicit warning about the danger of plaintext exports in the meantime.
If you choose to read the most hostile and uncharitable subtext into every word a person writes in public, you can misunderstand what he’s saying. Otherwise, this is a pretty cut-and-dry example of a person genuinely trying to support the interests of end users.