On 9/13/22 21:37, Tommy Nguyen wrote: > On Tue, 2022-09-06 at 16:14 -0500, Jonathan Wright via devel wrote: >> On Tue, Sep 6, 2022 at 3:52 PM Vitaly Zaitsev via devel < >> devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >> >>> On 06/09/2022 19:49, Michael Catanzaro wrote: >>>> Of course, hardware authenticators would be even more secure, and >>>> it >>>> sure seems pretty reasonable to expect that people with commit >>>> access to >>>> Fedora packages are able to purchase a $25 or 30€ security key >>>> [1][2]. > > I think most people would find it not reasonable for contributors to an > open source project to pay any amount of cash, even $25, to gain > packaging rights. That's tantamount to a membership or entrance fee. > > While I think this discussion has gone off the rails, here are my > thoughts: > - Why such a focus on FIDO2? It seems that nobody has discussed any > alternatives. FIDO2 isn't even necessarily universally acclaimed in the > infosec space Because FIDO2 is not phishable. TOTP and HOTP are. The only other non-phishable authentication method is TLS client certificates and I would be fine with those. > - Why such a focus on devices that cost money? I have 2FA enabled on my > phone with a free open source TOTP app Because there is no good software FIDO2 implementation. This can be solved with a TPM-backed one, since almost every laptop has a TPM. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
