top | item 46304570

(no title)

jmsgwd | 2 months ago

Once "secure credential exchange" becomes supported by commercial credential managers, what's to stop someone implementing an open source password manager that implements the standard and allows local export in plaintext?

discuss

pseudalopex|2 months ago

Passkeys relying parties can block providers. Tim Cappalli threatened the KeypassXC developers so.[1] The restrictions demanded now do not restrict user freedom significantly arguably. But the incentives and capabilities are clear.

[1] https://github.com/keepassxreboot/keepassxc/issues/10407#iss...

jmsgwd|2 months ago

OK but you'd still be able to use the open source "password manager" to export the keys - which solves the issue lapcat raised in this thread - even if relying parties blocked it for authentication, which would be a separate issue.

Someone could develop a "passkey export tool" purely for the purpose of doing credential exchange then local export.

Or are you saying the credential exchange process itself could block providers?

timmyc123|2 months ago

Hi, Tim Cappalli here.

Not sure how stating that my (an individual) opinions on a topic are evolving is interpreted as "threatened the KeypassXC developers".

If you've been following along, you'll have seen that I am actually one of the biggest advocates of the open passkey ecosystem, and have been working really hard to make sure all credential managers have a level playing field.

Always happy to chat directly if you have concerns!