On Аўт, 25 чэр 2024, Vitaly Zaitsev via devel wrote:
On 25/06/2024 15:06, Stephen Gallagher wrote:
I am not a lawyer, but I would assume that if Fedora offered to
provide such a token, it would be reviewed by Legal and provide some
form of legally-binding assertion that we weren't sending out
malicious devices.
Who can guarantee that these devices were not replaced during delivery?
In that situation, the
provenpackagers would be making a three way decision: 1) Stop being a
provenpackager, 2) buy their own token or 3) accept one provided by
Fedora.
4. Allow classic OTP codes.
I would prefer this one since I can use open source applications to
generate these codes. I can't find any FIDO2 implementations that are
completely open source which doesn't require proprietary technologies
like TPM or SGX. Relying on a black box is not an option for me.
Nobody prevents you from using 'classic OTP codes' either. It is what
enabled now as 'OTP' and there is no way to find out whether you are
using a hardware token or a software one for TOTP/HOTP. So this is not
changing at all.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
