Nah, it’s cool. We’re clearly talking at cross purposes. Have a good one.

It was bought by Microsoft after becoming established. Most free software projects don’t care enough to move if they don’t self host.

And I’m just letting you know that link bombing isn’t, and it’s actually a discussion if you explain your point rather than dropping someone else’s novel.
If for no other reason than because you don’t have to dig for what part of what was posted is related to what they were saying, and you can much faster say “ah, you’re talking about something totally different than I am”.

Just so you know, from looking at the wall of text you pasted by proxy: those are arguments against the notion that a tpm can make the device itself secure, not that it is untrustworthy for the notion of signing and storing encrypted data.

Next time, make your point and provide references (or not), rather than just link bombing.

I’m not seeing anything that’s not a great look about requiring strong authentication for access to sensitive portions of a users account. What you’re saying is akin to calling it a bad look that they force users to use complex passwords against user wishes.

I’m not sure what “trust me bro, my cloud is safe” has to do with anything. Passkeys live on your device. There are ways of facilitating device to device migrations of the keys if you want. You don’t need to use them to use passkeys. And at least on Android you don’t need to even use Google to manage the keys.

Most semiconductors are closed source. The processor, ram, and radio are also more than likely closed. The software interfaces to all of them have open specification and implementation. There’s like, six for Linux. Microsoft open sourced theirs.
Tpms are not security through obscurity. They are obscure, but that’s not a critical component to their security model.

What they do isn’t really what “collecting biometrics” implies. They’re storing key points in a hashed fashion that allows similarities to be compared. Even if it wasn’t encrypted in a non-exportable way you still can’t do anything with it beyond checking for a similarity score.

You’ve done a good job explaining what I said previously: there’s sometimes a disjoint between privacy and security concern, and so sometimes people don’t understand something about security.

That’s close enough for a privacy perspective. There’s also limitations on domains that can request the auth, specifically ”only the one the credential is for", and there’s a different key per domain and user typically.
It’s also implemented in a way where if the user doesn’t choose to disclose their account to the service, the service can’t know.

Caring about privacy and caring about the details of a security protocol are distinct. You’d be surprised how many people who care about privacy are deeply wary of passkeys because of the biometric factor, which is unfortunate because the way it authenticates is a lot harder to track across domains by design.

I understood they had a lot of concerns, one of which was biometrics via passkeys since GitHub was a very early adopter due to the supply chain risk they pose.

I know how device fingerprinting works, thank you though.

You don’t need my fingerprint, hardware or personal, or biometric shit.

To me that sounds like hardware identifiers, but also quite specifically the things passkeys use. Hence I mentioned it as aside from their main point, which was “don’t track me”, because the biometrics GitHub or any website is going to ask you to use can’t be used for that.

Tangential to the main point you’re going for: when you say fingerprint or biometrics I think you’re referring to passkeys.
Passkeys don’t share any of your fingerprint or other biometric identifiers with anyone.

https://www.eff.org/deeplinks/2023/10/passkeys-and-privacy

One of the major design criteria of their creation was to be an increase in security without sacrificing privacy. It’s made them more finicky to get working but there’s a very good reason they’re very popular with security professionals.