Wouldn't there be advantages to using something like a FIDO2 yubikey or some future FIDO2 phone/app system like Apple/Google/etc are talking about rather than a TPM?
Also, I agree with commenter about the mTLS. mTLS is great except that it breaks at load balancers/reverse-proxies and enterprise http proxies. For some folks they're actually quite important/convenient for common application deployment architectures and to many enterprise security teams to control and have visibility/forensic-investigatory capability for web traffic. Seems we need something lightweight that operates within the data stream after tunnel is established like commenter was talking about and integrate it into lots of frameworks/libraries to make it very easy for everybody to implement into existing codebases without conflicts with infrastructure/proxies/etc..
Power management, mobile and firmware developer on Linux. Security developer at Aurora. Ex-biologist. mjg59 on Twitter. Content here should not be interpreted as the opinion of my employer. Also on Mastodon.
FIDO2 ?
Date: 2022-05-18 07:36 pm (UTC)Wouldn't there be advantages to using something like a FIDO2 yubikey or some future FIDO2 phone/app system like Apple/Google/etc are talking about rather than a TPM?
Also, I agree with commenter about the mTLS. mTLS is great except that it breaks at load balancers/reverse-proxies and enterprise http proxies. For some folks they're actually quite important/convenient for common application deployment architectures and to many enterprise security teams to control and have visibility/forensic-investigatory capability for web traffic. Seems we need something lightweight that operates within the data stream after tunnel is established like commenter was talking about and integrate it into lots of frameworks/libraries to make it very easy for everybody to implement into existing codebases without conflicts with infrastructure/proxies/etc..
/dj6/