On Аўт, 25 чэр 2024, Vitaly Zaitsev via devel wrote:
On 25/06/2024 15:06, Stephen Gallagher wrote:
I am not a lawyer, but I would assume that if Fedora offered to
provide such a token, it would be reviewed by Legal and provide some
form of legally-binding assertion that we weren't sending out
malicious devices.
Who can guarantee that these devices were not replaced during delivery?
In that situation, the
provenpackagers would be making a three way decision: 1) Stop being a
provenpackager, 2) buy their own token or 3) accept one provided by
Fedora.
4. Allow classic OTP codes.
I would prefer this one since I can use open source applications to
generate these codes. I can't find any FIDO2 implementations that are
completely open source which doesn't require proprietary technologies
like TPM or SGX. Relying on a black box is not an option for me.
Nobody prevents you from using 'classic OTP codes' either. It is what
enabled now as 'OTP' and there is no way to find out whether you are
using a hardware token or a software one for TOTP/HOTP. So this is not
changing at all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
