cviecco

keymasterd already supports CORS iff the PKCE auth0 client is enabled (not by default). It seems like you have an JS app that also tries to login. Please enable this...

I am planning the following: 1. Experimental flag to allow webauthn in addition to u2f (web only) 2. Work on migrating/reusing the current u2f registrations to be signed via the...

@prydonius : if you diable the OTP on the yubikey is this still an issue? (I think this would be a workaround)

@rgooch : what version of yubikey do you use(paste the whole -checkDevices string) and what version of MacOS?

An idea.. test with using libfido2.. which is mady by yubico? https://github.com/keys-pub/go-libfido2

I would disagree with this one. The admin port is also used to collect metrics for the system and to perform unsealing operations. I would agree that: 1. Logs /sensitive...

What about if we start using [gravatar](https://en.gravatar.com/) images profiles? We will not store any extra data on the db.. instead we compute the user's hash and download to a local...

Adding another depenency seems against the resiliancy guarantees of keymaster. However a blacklist kept in the db, and propagated to the machines every X seconds would be a decent trade-off....

At the end of the day this is just a desire to have a blacklist for explicitly disabled tokens. (revocation list). Since quering this list must be inline to operations,...

Do you mean keymaster's CA cert as dowloaded from https://keymaster.example.com/public/x509ca. I dont understand te question (why would clients want this cert anyway?). Or if its something else can you explain...