Péter Szilágyi

What I mean is that I can just make up an arbitrary fake audit chain that I just keep adding commands to and nobody without access to the real HSM...

How insane would it be to have the HSM publicly accessible with a publicly known log auditor private key? That would allow cross-verifying the identity of the HSM when establishing...

I'm actually trying to create a fully public transparency log of the operations. That's why a signature would have solved everything and without it I'm in quite a bit of...

I'd assume that even if such a feature lands, it would take an unknown amount of time to become available and even after the firmware is done, using it would...

Hmm, I think I hit yet another issue with the log authentication. The device has it's own identity signed by Yubico. But the key used for asymmetric authentication into the...

I can also attest an arbitrary other public key and have the client talk to a fake YubiHSM. I cannot prove to the client that the public key I give...

But you cannot attest the device public key as it stands by default. It is not in any specific key slot which would allow you to have the "locally generated"...

Ah, I see. Is that attestable 0 key id documented anywhere? Indeed I can generate an attestation for that public key this way and I do have the object id...

Can confirm that also hit this and feels very wonky

The example on the [Cloudflare API page](https://developers.cloudflare.com/api/resources/kv/subresources/namespaces/subresources/values/methods/update/#(params)%20default%20%3E%20(param)%20account_id%20%3E%20(schema)) is also borken, it will error with: `can not parse value and metadata from multipart request body: 'could not parse multipart request: 'no...