I find it weird that GPG/PGP leans so heavily into "one key per person". Why shouldn't I be encouraged to have 2 or 4 or 10 identities if I want to? If my "web of trust" is diluted as a result, then that's on me (and I don't much care).
At least the OpenPGP smart card specification kind of does, yes.
It uses a "single private key stored on the card" (ok, actually three keys) model, whereas FIDO (including SSH‘s security key implementation) uses key handles, which theoretically support an unlimited number of keys per authenticator.
A key handle seems to be the real private key encrypted with a static key from the hardware key.
You can achieve that yourself, for example, using Pass. Encrypt theoretically unlimited number of password and secret keys with the master password in the hardware token.
> A key handle seems to be the real private key encrypted with a static key from the hardware key.
It can be, but it‘s essentially just a binary blob. It can also be entropy to deterministically re-derive a private or secret key from an internal root secret, or just a primary key to look up that key or entropy within the token.
> You can achieve that yourself, for example, using Pass.
How? With a hardware token, you can only do what its protocol allows you to in terms of key derivation.
That means that with a standard OpenPGP card, you will not be able to do key handle based key derivation, while with FIDO/CTAP you can.
You could obviously develop your own OpenPGP-compatible hardware token standard, but you‘d only be able to use it with a patched version of GPG, GPG agent etc, but a big advantage of OpenPGP smartcards (and even more so FIDO/CTAP tokens) is that they are widely supported without requiring driver installation.
Instead of arguing "we need to cut costs", why don't they work on an entry-level paid tier? Seriously, it is like they're not even trying to compete with GH at this level.
I was reviewing git hosting prices this week and Gitlab pricing really didn't make sense. The cheapest paid plan doesn't provide enough incentive to the majority of people who just want to host small/personal projects.
While I despise this kernel level bs, do you know how it is going to be implemented on Linux?
As far as I understand, it is coming via Proton/Wine, so these programs would need some kind of kernel level access as well (if they don't have it currently)? Or maybe they're just emulating Windows kernel calls or something like that. I mean, less intrusive (but also less effective) in a Linux system.
