Having a *single* certificate makes it trivial to implement cross-website tracki...

scarab92 · 2025-08-05T06:30:48 1754375448

The vast majority of users treat their set of passkeys as a unit anyway, so there’s no scenario when a single token would need to be revoked in isolation. A breach of one passkey can only occur from breaching the password manager itself, in which case all passkeys are exposed, so there’s no security benefit to having per site passkeys.

Users who truly need that ability can create multiple certificates, and synchronise them as appropriate.

bananapub · 2025-08-05T08:31:27 1754382687

perhaps this a good moment for you to engage in some reflection and consider that perhaps some people have put more thought in to "how do we replace passwords" than you did in making a single hacker news comment?

you:

> A single per-user client certificate is a cleaner solution, without the vendor lock in problem, since there’s no need for real time synchronisation of an evolving set of passkeys.

reply:

> Having a single certificate makes it trivial to implement cross-website tracking.

you:

> Users who truly need that ability can create multiple certificates, and synchronise them as appropriate.

well, indeed! perhaps designing a system to support multiple certificates with synchronisation, so that we're not forcing ever user to be trackable by every single website, would be a good idea.

some sort of keys to enable one's passage in to a website?

this is a cancer on this website, and certainly one I'm also suffering from, despite being quite aware of it - real life things are usually pretty complicated and just because I know enough to make a random guess at a solution, it doesn't mean people who have put way thought in to the problem have done a bad job or missed by brilliant insight.