On Thu, Jun 18, 2026 at 9:01 PM Kevin Fenzi <[email protected]> wrote:

> So, we can surely change the requirement to be MUST (and we probibly
> should), but there's a bunch of corner cases and things to note:

(is that a "should" or a "MUST" (ha ha))

SHOULD was best the community would seem to accept
at the time due to some strong objections to a MUST.

>   The new ssh keys that use fido2/etc won't work against
>   src.fedoraproject.org because it's RHEL8 and doesn't understand them,
>   but we could perhaps setup some requirement for the new forgejo setup
>   to need them.

Is there any resourced plan to upgrade to a RHEL that
supports the ssh FIDO2 encryption types?  I would love
to migrate to a FIDO2 required ssh key (and while I am
not a PP, so am probably not a major risk to the
community, I like to believe I take security seriously).

> - Indeed if you loose all access to all your otps, you currently have to
>   manually email us and do something to prove your are you in order for
>   us to clear them.  This can be any of: gpg signed emails, ssh access,
>   external verify if we have access to it/trust it, etc. Whatever is
>   available and trustworthy. That said, I would urge everyone with an
>   otp enrolled to... enroll at least one backup one.

In some cases a TOTP solution provider may back up the
secret to a differently authenticated source (I believe Apple
users can backup to the iCloud Keychain, and Google users
can use their Google Authenticator cloud backup).  Those
backups typically require their own validation (including in
some cases passkeys) to recover.
-- 
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://forge.fedoraproject.org/infra/tickets/issues/new

Reply via email to