Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Inquiry on Attestation Certificates and CRL Checks
197 views
Skip to first unread message
Mário Sousa
Feb 14, 2025, 3:23:15 PMFeb 14
to FIDO Dev (fido-dev)
Hello everyone,
I’m currently evaluating the impact of attestation certificate validation, particularly regarding the time spent checking Certificate Revocation Lists (CRLs) and the overall size of CRLs, which can grow beyond our control.
I understand that not all attestation formats will have a certificate, and the certificate may not have a CRL distribution point extension.
Considering that the RP server could be used by millions of users, I’d like to ask if anyone can provide insights or data to better understand:
- What percentage of authenticators send attestation with attestation certificates?
- Based on the group’s experience, how frequently does attestation validation—including CRL checks—occur in real-world deployments?
- Is there any statistical data available on the attestation formats and types commonly used?
Any insights or references to relevant reports would be greatly appreciated.
Thank you in advance.
Arshad Noor
Feb 14, 2025, 8:27:28 PMFeb 14
to Mário Sousa, FIDO Dev (fido-dev)
Mario,
You are asking very pertinent questions.
Back when FIDO was founded, attestation certificates from Authenticator
manufacturers were supposed to do exactly what their intent was: to
provide an assurance to relying parties (RP) that an unknown
registration from the internet would be backed by a digital certificate
with information in it, to enable the RP to make a risk-management
decision. That was the intent about a decade ago.
But, as FIDO Alliance struggled to achieve traction with FIDO
deployment, a lot of these intentions were curtailed and the usual
politics inherent in standards development organizations (SDO) took over.
Fast forward to 2025, and you have hundreds of RPs supporting
synchronized ('synced') passkeys, where private keys are stored in the
Cloud, and where RPs receive no attestation for them. And, millions of
people are being encouraged to enroll for "passkeys" without
understanding what they are doing
(https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor).
Specific to your questions, I don't believe any of the data you are
asking for, exists.
Currently, the attestation process and certificate best serves the needs
of enterprises or RPs in regulated environments. Those who understand
what it can do for them, and choose to leverage it, can choose to work
with Authenticator (and FIDO server) manufacturers to enable what they
need to meet their policy objectives.
Arshad Noor
StrongKey
On 2/14/25 5:51 AM, Mário Sousa wrote:
> Hello everyone,
>
> I’m currently evaluating the impact of attestation certificate
> validation, particularly regarding the time spent checking Certificate
> Revocation Lists (CRLs) and the overall size of CRLs, which can grow
> beyond our control.
>
> I understand that not all attestation formats will have a certificate,
> and the certificate may not have a CRL distribution point extension.
>
> Considering that the RP server could be used by millions of users, I’d
> like to ask if anyone can provide insights or data to better understand:
>
> * What percentage of authenticators send attestation with attestation
> certificates?
> * Based on the group’s experience, how frequently does attestation
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org <mailto:fido-
> dev+uns...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org?
> utm_medium=email&utm_source=footer>.
You are asking very pertinent questions.
Back when FIDO was founded, attestation certificates from Authenticator
manufacturers were supposed to do exactly what their intent was: to
provide an assurance to relying parties (RP) that an unknown
registration from the internet would be backed by a digital certificate
with information in it, to enable the RP to make a risk-management
decision. That was the intent about a decade ago.
But, as FIDO Alliance struggled to achieve traction with FIDO
deployment, a lot of these intentions were curtailed and the usual
politics inherent in standards development organizations (SDO) took over.
Fast forward to 2025, and you have hundreds of RPs supporting
synchronized ('synced') passkeys, where private keys are stored in the
Cloud, and where RPs receive no attestation for them. And, millions of
people are being encouraged to enroll for "passkeys" without
understanding what they are doing
(https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor).
Specific to your questions, I don't believe any of the data you are
asking for, exists.
Currently, the attestation process and certificate best serves the needs
of enterprises or RPs in regulated environments. Those who understand
what it can do for them, and choose to leverage it, can choose to work
with Authenticator (and FIDO server) manufacturers to enable what they
need to meet their policy objectives.
Arshad Noor
StrongKey
On 2/14/25 5:51 AM, Mário Sousa wrote:
> Hello everyone,
>
> I’m currently evaluating the impact of attestation certificate
> validation, particularly regarding the time spent checking Certificate
> Revocation Lists (CRLs) and the overall size of CRLs, which can grow
> beyond our control.
>
> I understand that not all attestation formats will have a certificate,
> and the certificate may not have a CRL distribution point extension.
>
> Considering that the RP server could be used by millions of users, I’d
> like to ask if anyone can provide insights or data to better understand:
>
> certificates?
> * Based on the group’s experience, how frequently does attestation
> validation—including CRL checks—occur in real-world deployments?
> * Is there any statistical data available on the attestation formats
> and types commonly used?
>
> Any insights or references to relevant reports would be greatly appreciated.
>
> Thank you in advance.
>
> --
>
> Any insights or references to relevant reports would be greatly appreciated.
>
> Thank you in advance.
>
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org <mailto:fido-
> dev+uns...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org?
> utm_medium=email&utm_source=footer>.
My1
Feb 15, 2025, 4:46:23 PMFeb 15
to Arshad Noor, Mário Sousa, FIDO Dev (fido-dev)
Very interesting linked post indeed.
Considering Google just locked me ouf of my (happily comparatively few) passkeys i store with them, that's also good to read because it's not just them possibly misusing them but also the problem of possibly losing access.
Especially as while google and co might let you backup passwords you store with them, with passkeys you are COMPLETELY at their mercy, which imo is just as bad as it sounds.
So the only way to actually keep control over passkeys is likely getting a FIDO device with enough resident credential storage as passkeys usually for some reason are made to be resident with all its advantages and disadvantages.
Although i'd say for some lower risk accounts it might not be a bad idea to have it anyway as an option, like for example some forums and stuff.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891-ef70-4c31-8e05-668f861c9c3c%40strongkey.com.
Arshad Noor
Feb 16, 2025, 8:22:37 AMFeb 16
to My1, Mário Sousa, FIDO Dev (fido-dev)
Thank you.
I'm curious about why you were locked out from your passkeys; was it
because of something you forgot or did not have in your possession, or
because of a malfunction at the cloud service provider's site?
You bring up an interesting point I had not considered: according to one
website (https://www.lostings.com/airport-lost-and-found/) more than 2
million items are reported lost at airports annually with 30,000 items
lost at JFK airport alone, every month. (About 70% are returned, thus
explaining the smaller number of lost items in contrast to reported
numbers).
If a person were to lose their mobile and laptop through a mishap, it is
conceivable that they could be permanently locked out from all their
passkey-based websites! Unless, of course, the account recovery process
at the site continues to rely on utterly weak authentication methods.
I wonder how much thought consumers have given to this possibility?
Arshad
On 2/15/25 1:46 PM, My1 wrote:
> Very interesting linked post indeed.
>
> Considering Google just locked me ouf of my (happily comparatively few)
> passkeys i store with them, that's also good to read because it's not
> just them possibly misusing them but also the problem of possibly losing
> access.
>
> Especially as while google and co might let you backup passwords you
> store with them, with passkeys you are COMPLETELY at their mercy, which
> imo is just as bad as it sounds.
>
> So the only way to actually keep control over passkeys is likely getting
> a FIDO device with enough resident credential storage as passkeys
> usually for some reason are made to be resident with all its advantages
> and disadvantages.
>
> Although i'd say for some lower risk accounts it might not be a bad idea
> to have it anyway as an option, like for example some forums and stuff.
>
>
> Arshad Noor <arsha...@strongkey.com
> you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor>).
> dev%2Bunsu...@fidoalliance.org> <mailto:fido- <mailto:fido->
> > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>>.
> > fidoalliance.org/d/msgid/fido- <http://fidoalliance.org/d/msgid/
> fido->
> > dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org> <https://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido- <http://
> groups.google.com/a/fidoalliance.org/d/msgid/fido->
> > dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>?
> dev%2Bunsu...@fidoalliance.org>.
> ef70-4c31-8e05-668f861c9c3c%40strongkey.com <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891-
> ef70-4c31-8e05-668f861c9c3c%40strongkey.com>.
>
I'm curious about why you were locked out from your passkeys; was it
because of something you forgot or did not have in your possession, or
because of a malfunction at the cloud service provider's site?
You bring up an interesting point I had not considered: according to one
website (https://www.lostings.com/airport-lost-and-found/) more than 2
million items are reported lost at airports annually with 30,000 items
lost at JFK airport alone, every month. (About 70% are returned, thus
explaining the smaller number of lost items in contrast to reported
numbers).
If a person were to lose their mobile and laptop through a mishap, it is
conceivable that they could be permanently locked out from all their
passkey-based websites! Unless, of course, the account recovery process
at the site continues to rely on utterly weak authentication methods.
I wonder how much thought consumers have given to this possibility?
Arshad
On 2/15/25 1:46 PM, My1 wrote:
> Very interesting linked post indeed.
>
> Considering Google just locked me ouf of my (happily comparatively few)
> passkeys i store with them, that's also good to read because it's not
> just them possibly misusing them but also the problem of possibly losing
> access.
>
> Especially as while google and co might let you backup passwords you
> store with them, with passkeys you are COMPLETELY at their mercy, which
> imo is just as bad as it sounds.
>
> So the only way to actually keep control over passkeys is likely getting
> a FIDO device with enough resident credential storage as passkeys
> usually for some reason are made to be resident with all its advantages
> and disadvantages.
>
> Although i'd say for some lower risk accounts it might not be a bad idea
> to have it anyway as an option, like for example some forums and stuff.
>
>
> Arshad Noor <arsha...@strongkey.com
> <mailto:arsha...@strongkey.com>> schrieb am Sa., 15. Feb. 2025, 02:27:
>
> Mario,
>
> You are asking very pertinent questions.
>
> Back when FIDO was founded, attestation certificates from Authenticator
> manufacturers were supposed to do exactly what their intent was: to
> provide an assurance to relying parties (RP) that an unknown
> registration from the internet would be backed by a digital certificate
> with information in it, to enable the RP to make a risk-management
> decision. That was the intent about a decade ago.
>
> But, as FIDO Alliance struggled to achieve traction with FIDO
> deployment, a lot of these intentions were curtailed and the usual
> politics inherent in standards development organizations (SDO) took
> over.
>
> Fast forward to 2025, and you have hundreds of RPs supporting
> synchronized ('synced') passkeys, where private keys are stored in the
> Cloud, and where RPs receive no attestation for them. And, millions of
> people are being encouraged to enroll for "passkeys" without
> understanding what they are doing
> (https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-
> safe-deposit-box-arshad-noor <https://www.linkedin.com/pulse/would-
>
> Mario,
>
> You are asking very pertinent questions.
>
> Back when FIDO was founded, attestation certificates from Authenticator
> manufacturers were supposed to do exactly what their intent was: to
> provide an assurance to relying parties (RP) that an unknown
> registration from the internet would be backed by a digital certificate
> with information in it, to enable the RP to make a risk-management
> decision. That was the intent about a decade ago.
>
> But, as FIDO Alliance struggled to achieve traction with FIDO
> deployment, a lot of these intentions were curtailed and the usual
> politics inherent in standards development organizations (SDO) took
> over.
>
> Fast forward to 2025, and you have hundreds of RPs supporting
> synchronized ('synced') passkeys, where private keys are stored in the
> Cloud, and where RPs receive no attestation for them. And, millions of
> people are being encouraged to enroll for "passkeys" without
> understanding what they are doing
> (https://www.linkedin.com/pulse/would-you-trust-your-bank-both-keys-
> you-trust-your-bank-both-keys-safe-deposit-box-arshad-noor>).
> > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion visit https://groups.google.com/a/
> <https://groups.google.com/a/>
> > fidoalliance.org/d/msgid/fido- <http://fidoalliance.org/d/msgid/
> fido->
> > dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org> <https://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido- <http://
> groups.google.com/a/fidoalliance.org/d/msgid/fido->
> > dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>?
> > utm_medium=email&utm_source=footer>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org <mailto:fido-
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> dev%2Bunsu...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-dev/b2f8d891-
> ef70-4c31-8e05-668f861c9c3c%40strongkey.com <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891-
> ef70-4c31-8e05-668f861c9c3c%40strongkey.com>.
>
Pro Coder 101
Feb 16, 2025, 8:29:20 AMFeb 16
to Arshad Noor, My1, Mário Sousa, FIDO Dev (fido-dev)
I feel passkey managers have a recovery process. Like with Google Password manager, you could buy a new Android phone, sign in with the same google accounts, (use otp if passkey is unavailable) and use screen lock of the old phone to use the passkeys.
Also, as a fall back, I keep an older phone at home which is logged in to my same google and microsoft accounts and it would enable me to sign in new devices with passkeys in case I lose any device.
Aditya Mitra
CCNA, CySA+
https://Adityamitra5102.github.io
https://www.linkedin.com/in/AdityaMitra5102
CCNA, CySA+
https://Adityamitra5102.github.io
https://www.linkedin.com/in/AdityaMitra5102
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b675fcc6-1c32-4306-b52a-03fadac68109%40strongkey.com.
My1
Feb 16, 2025, 8:43:18 AMFeb 16
to Arshad Noor, Mário Sousa, FIDO Dev (fido-dev)
well I got myself a new phone a few days ago, but both the old phone and tablet I have on the account are still active and yesterday I wanted to add a new passkey where google said cant access passkeys do you want to wipe them, I obviously went HELL NO on that one and checked the other 2 devices, same issue and when I try using a passkey they only mention that it cant access "encrypted data" linking to this "help" article
and on reddit the only "solution" has been to knock out Chrome sync and set it up again wiping all the data that isnt backed up.
"I feel passkey managers have a recovery process. Like with Google Password manager, you could buy a new Android phone, sign in with the same google accounts, (use otp if passkey is unavailable) and use screen lock of the old phone to use the passkeys."
I have seen that one, and no for some reason I cant seem to trigger that, dont know what I need to do for that.
Update: while writing, I tried out one of the google Chrome Browsers I have active to use a google account passkey which seemed to work.
Apparently you can in chrome add a "Google Password Manager Recovery PIN" (which can also be a password with letters and stuff), which after setup apparently CAN be used to move passkeys too.
but still it's a major headache finding that in the first place obviously especially with like no guidance, I just got a bit lucky, and god knows what happened if I didnt have that random chrome login on my Laptop.
Arshad Noor
Feb 16, 2025, 9:11:22 AMFeb 16
to Pro Coder 101, My1, Mário Sousa, FIDO Dev (fido-dev)
People who work in the tech industry are a minority, Aditya; they can
afford to have multiple phones/devices, and preserve them logged in all
the time (although that now adds to the process burden of staying logged
in through updates, etc.). The vast majority of consumers are likely to
have only one personal device.
While USD 8.00 for a Security Key is still expensive to significant
numbers of people, it is a shame universities and/or banking consortiums
in India, Brazil, etc. have not thought of using the RISC-V processor
(https://en.wikipedia.org/wiki/RISC-V) to create an open-source
implementation of CTAP that could enable the open manufacture of
Security Keys - it could solve many problems for regulated industries in
many countries.
Arshad
On 2/16/25 5:29 AM, Pro Coder 101 wrote:
> I feel passkey managers have a recovery process. Like with Google
> Password manager, you could buy a new Android phone, sign in with the
> same google accounts, (use otp if passkey is unavailable) and use screen
> lock of the old phone to use the passkeys.
>
> Also, as a fall back, I keep an older phone at home which is logged in
> to my same google and microsoft accounts and it would enable me to sign
> in new devices with passkeys in case I lose any device.
>
> Aditya Mitra
> CCNA, CySA+
> https://Adityamitra5102.github.io <https://Adityamitra5102.github.io>
> https://www.linkedin.com/in/AdityaMitra5102 <https://www.linkedin.com/
> in/AdityaMitra5102>
> www.lostings.com/airport-lost-and-found/>) more than 2
> > <mailto:arsha...@strongkey.com
> both-keys- <https://www.linkedin.com/pulse/would-you-trust-your-
> bank-both-keys->
> > safe-deposit-box-arshad-noor <https://www.linkedin.com/pulse/
> would- <https://www.linkedin.com/pulse/would->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>> <mailto:fido-
> <mailto:fido-> <mailto:fido- <mailto:fido->>
> > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>>.
> fidoalliance.org/d/msgid/>
> > fido->
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > <http://40fidoalliance.org <http://40fidoalliance.org>> <https://
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-> <http://
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>.
> > fidoalliance.org/d/msgid/fido-dev/b2f8d891- <http://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891->
> > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com> <https://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891->
> > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>>.
> b52a-03fadac68109%40strongkey.com <https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-dev/b675fcc6-1c32-4306-
> b52a-03fadac68109%40strongkey.com>.
>
afford to have multiple phones/devices, and preserve them logged in all
the time (although that now adds to the process burden of staying logged
in through updates, etc.). The vast majority of consumers are likely to
have only one personal device.
While USD 8.00 for a Security Key is still expensive to significant
numbers of people, it is a shame universities and/or banking consortiums
in India, Brazil, etc. have not thought of using the RISC-V processor
(https://en.wikipedia.org/wiki/RISC-V) to create an open-source
implementation of CTAP that could enable the open manufacture of
Security Keys - it could solve many problems for regulated industries in
many countries.
Arshad
On 2/16/25 5:29 AM, Pro Coder 101 wrote:
> I feel passkey managers have a recovery process. Like with Google
> Password manager, you could buy a new Android phone, sign in with the
> same google accounts, (use otp if passkey is unavailable) and use screen
> lock of the old phone to use the passkeys.
>
> Also, as a fall back, I keep an older phone at home which is logged in
> to my same google and microsoft accounts and it would enable me to sign
> in new devices with passkeys in case I lose any device.
>
> Aditya Mitra
> CCNA, CySA+
> https://www.linkedin.com/in/AdityaMitra5102 <https://www.linkedin.com/
> in/AdityaMitra5102>
>
> On Sun, Feb 16, 2025, 6:52 PM Arshad Noor <arsha...@strongkey.com
> <mailto:arsha...@strongkey.com>> wrote:
>
> Thank you.
>
> I'm curious about why you were locked out from your passkeys; was it
> because of something you forgot or did not have in your possession, or
> because of a malfunction at the cloud service provider's site?
>
> You bring up an interesting point I had not considered: according to
> one
> website (https://www.lostings.com/airport-lost-and-found/ <https://
> On Sun, Feb 16, 2025, 6:52 PM Arshad Noor <arsha...@strongkey.com
> <mailto:arsha...@strongkey.com>> wrote:
>
> Thank you.
>
> I'm curious about why you were locked out from your passkeys; was it
> because of something you forgot or did not have in your possession, or
> because of a malfunction at the cloud service provider's site?
>
> You bring up an interesting point I had not considered: according to
> one
> www.lostings.com/airport-lost-and-found/>) more than 2
> bank-both-keys->
> > safe-deposit-box-arshad-noor <https://www.linkedin.com/pulse/
> would- <https://www.linkedin.com/pulse/would->
> <mailto:dev%252Buns...@fidoalliance.org>> <mailto:fido-
> <mailto:fido-> <mailto:fido- <mailto:fido->>
> > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>>.
> > > To view this discussion visit https://groups.google.com/a/
> <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > fidoalliance.org/d/msgid/fido- <http://fidoalliance.org/d/
> msgid/fido-> <http://fidoalliance.org/d/msgid/ <http://
> <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > fidoalliance.org/d/msgid/fido- <http://fidoalliance.org/d/
> fidoalliance.org/d/msgid/>
> > fido->
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > <http://40fidoalliance.org <http://40fidoalliance.org>> <https://
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-> <http://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido- <http://
> groups.google.com/a/fidoalliance.org/d/msgid/fido->>
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > <http://40fidoalliance.org <http://40fidoalliance.org>>?
> groups.google.com/a/fidoalliance.org/d/msgid/fido->>
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > > utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the
> Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org> <mailto:fido-
> >
> > --
> > You received this message because you are subscribed to the
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>.
> > fidoalliance.org/d/msgid/fido-dev/b2f8d891- <http://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891->
> > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com> <https://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b2f8d891->
> > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>>.
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org <mailto:fido-
> dev%2Bunsu...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-dev/b675fcc6-1c32-4306-
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org <mailto:fido-
> dev%2Bunsu...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> b52a-03fadac68109%40strongkey.com <https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-dev/b675fcc6-1c32-4306-
> b52a-03fadac68109%40strongkey.com>.
>
Arshad Noor
Feb 16, 2025, 9:23:47 AMFeb 16
to My1, FIDO Dev (fido-dev)
Seems you got very lucky, indeed. The other poster (Aditya) has made it
his policy to keep an old phone logged in all the time (despite its own
burdens).
I maintain that multiple, inexpensive Security Keys are the right
balance of account recovery convenience, security and privacy for the
vast majority of people in OECD countries. Just a little bit of
knowledge and process discipline is required.
For everyone else, I believe lobbyists in regulated industries waste
tremendous amounts of money trying to curb regulations for themselves.
Perhaps, small investments in creating an open implementation of CTAP
using RISC-V could result in greater security and privacy for their
customers, and fewer regulations for themselves.
Arshad
On 2/16/25 5:43 AM, My1 wrote:
> well I got myself a new phone a few days ago, but both the old phone and
> tablet I have on the account are still active and yesterday I wanted to
> add a new passkey where google said cant access passkeys do you want to
> wipe them, I obviously went HELL NO on that one and checked the other 2
> devices, same issue and when I try using a passkey they only mention
> that it cant access "encrypted data" linking to this "help" article
>
> https://support.google.com/accounts/answer/11350823?ctx=ep <https://
> support.google.com/accounts/answer/11350823?ctx=ep>
> > <mailto:arsha...@strongkey.com
> > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>>.
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-> <http://
his policy to keep an old phone logged in all the time (despite its own
burdens).
I maintain that multiple, inexpensive Security Keys are the right
balance of account recovery convenience, security and privacy for the
vast majority of people in OECD countries. Just a little bit of
knowledge and process discipline is required.
For everyone else, I believe lobbyists in regulated industries waste
tremendous amounts of money trying to curb regulations for themselves.
Perhaps, small investments in creating an open implementation of CTAP
using RISC-V could result in greater security and privacy for their
customers, and fewer regulations for themselves.
Arshad
On 2/16/25 5:43 AM, My1 wrote:
> well I got myself a new phone a few days ago, but both the old phone and
> tablet I have on the account are still active and yesterday I wanted to
> add a new passkey where google said cant access passkeys do you want to
> wipe them, I obviously went HELL NO on that one and checked the other 2
> devices, same issue and when I try using a passkey they only mention
> that it cant access "encrypted data" linking to this "help" article
>
> support.google.com/accounts/answer/11350823?ctx=ep>
>
> and on reddit the only "solution" has been to knock out Chrome sync and
> set it up again wiping all the data that isnt backed up.
>
> "I feel passkey managers have a recovery process. Like with Google
> Password manager, you could buy a new Android phone, sign in with the
> same google accounts, (use otp if passkey is unavailable) and use screen
> lock of the old phone to use the passkeys."
>
> I have seen that one, and no for some reason I cant seem to trigger
> that, dont know what I need to do for that.
>
> Update: while writing, I tried out one of the google Chrome Browsers I
> have active to use a google account passkey which seemed to work.
>
> Apparently you can in chrome add a "Google Password Manager Recovery
> PIN" (which can also be a password with letters and stuff), which after
> setup apparently CAN be used to move passkeys too.
>
> but still it's a major headache finding that in the first place
> obviously especially with like no guidance, I just got a bit lucky, and
> god knows what happened if I didnt have that random chrome login on my
> Laptop.
>
> Am So., 16. Feb. 2025 um 14:22 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
> and on reddit the only "solution" has been to knock out Chrome sync and
> set it up again wiping all the data that isnt backed up.
>
> "I feel passkey managers have a recovery process. Like with Google
> Password manager, you could buy a new Android phone, sign in with the
> same google accounts, (use otp if passkey is unavailable) and use screen
> lock of the old phone to use the passkeys."
>
> I have seen that one, and no for some reason I cant seem to trigger
> that, dont know what I need to do for that.
>
> Update: while writing, I tried out one of the google Chrome Browsers I
> have active to use a google account passkey which seemed to work.
>
> Apparently you can in chrome add a "Google Password Manager Recovery
> PIN" (which can also be a password with letters and stuff), which after
> setup apparently CAN be used to move passkeys too.
>
> but still it's a major headache finding that in the first place
> obviously especially with like no guidance, I just got a bit lucky, and
> god knows what happened if I didnt have that random chrome login on my
> Laptop.
>
> Am So., 16. Feb. 2025 um 14:22 Uhr schrieb Arshad Noor
>
> Thank you.
>
> I'm curious about why you were locked out from your passkeys; was it
> because of something you forgot or did not have in your possession, or
> because of a malfunction at the cloud service provider's site?
>
> You bring up an interesting point I had not considered: according to
> one
> Thank you.
>
> I'm curious about why you were locked out from your passkeys; was it
> because of something you forgot or did not have in your possession, or
> because of a malfunction at the cloud service provider's site?
>
> You bring up an interesting point I had not considered: according to
> one
> website (https://www.lostings.com/airport-lost-and-found/ <https://
> www.lostings.com/airport-lost-and-found/>) more than 2
> > (https://www.linkedin.com/pulse/would-you-trust-your-bank-
> both-keys- <https://www.linkedin.com/pulse/would-you-trust-your-
> bank-both-keys->
> > safe-deposit-box-arshad-noor <https://www.linkedin.com/pulse/
> would- <https://www.linkedin.com/pulse/would->
> both-keys- <https://www.linkedin.com/pulse/would-you-trust-your-
> bank-both-keys->
> > safe-deposit-box-arshad-noor <https://www.linkedin.com/pulse/
> <mailto:fido-dev%2Bunsu...@fidoalliance.org> <mailto:fido-
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>> <mailto:fido-
> <mailto:fido-> <mailto:fido- <mailto:fido->>
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>> <mailto:fido-
> > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>>.
> > > To view this discussion visit https://groups.google.com/a/
> <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > fidoalliance.org/d/msgid/fido- <http://fidoalliance.org/d/
> msgid/fido-> <http://fidoalliance.org/d/msgid/ <http://
> fidoalliance.org/d/msgid/>
> > fido->
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > <http://40fidoalliance.org <http://40fidoalliance.org>> <https://
> msgid/fido-> <http://fidoalliance.org/d/msgid/ <http://
> fidoalliance.org/d/msgid/>
> > fido->
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-
> <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-> <http://
> > groups.google.com/a/fidoalliance.org/d/msgid/fido- <http://
> groups.google.com/a/fidoalliance.org/d/msgid/fido->>
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > <http://40fidoalliance.org <http://40fidoalliance.org>>?
> groups.google.com/a/fidoalliance.org/d/msgid/fido->>
> > >
> dev/6fdab2c5-1647-4701-8983-20c389c129a5n%40fidoalliance.org
> <http://40fidoalliance.org>
> > > utm_medium=email&utm_source=footer>.
> >
> > --
> > You received this message because you are subscribed to the
> Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to fido-dev+u...@fidoalliance.org
> >
> > --
> > You received this message because you are subscribed to the
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> > send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org> <mailto:fido-
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>.
> <mailto:fido->
> > dev%2Bunsu...@fidoalliance.org
Pro Coder 101
Feb 16, 2025, 9:53:01 AMFeb 16
to Arshad Noor, My1, FIDO Dev (fido-dev)
Thanks Arshad for the idea. Gotta try to develop an open implementation of CTAP on a RPi Pico next weekend.
Anyways if this is helpful, I have been working on an Open Source implementation on ARM processor (https://github.com/AdityaMitra5102/RPi-FIDO2-Security-Key). [This is incomplete as of now just some basic stuff is working. Still need to implement UP, UV, error handling and stuff. And it doesn't use secure storage as of now.]
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0dad3819-e478-4541-9d45-1ecca72c08a6%40strongkey.com.
Arshad Noor
Feb 16, 2025, 12:18:17 PMFeb 16
to Pro Coder 101, FIDO Dev (fido-dev)
If you do end-up writing open-source CTAP code for RISC-V, I suggest you
NOT put the code in Github; here's why:
https://github.com/strongkey/fido2
You can find updates on the copyright infringement lawsuit at:
https://www.saverilawfirm.com/our-cases/github-copilot-intellectual-property-litigation
Arshad
On 2/16/25 6:52 AM, Pro Coder 101 wrote:
> Thanks Arshad for the idea. Gotta try to develop an open implementation
> of CTAP on a RPi Pico next weekend.
>
> Anyways if this is helpful, I have been working on an Open Source
> implementation on ARM processor (https://github.com/AdityaMitra5102/RPi-
> FIDO2-Security-Key <https://github.com/AdityaMitra5102/RPi-FIDO2-
> Security-Key>). [This is incomplete as of now just some basic stuff is
> <https://support.google.com/accounts/answer/11350823?ctx=ep> <https://
> > support.google.com/accounts/answer/11350823?ctx=ep <http://
> <mailto:arsha...@strongkey.com <mailto:arsha...@strongkey.com>>>:
> > www.lostings.com/airport-lost-and-found/ <http://
> bank- <https://www.linkedin.com/pulse/would-you-trust-your-bank->
> > both-keys- <https://www.linkedin.com/pulse/would-you-trust-
> your- <https://www.linkedin.com/pulse/would-you-trust-your->
> > bank-both-keys->
> > > safe-deposit-box-arshad-noor <https://
> www.linkedin.com/pulse/ <https://www.linkedin.com/pulse/>
> > would- <https://www.linkedin.com/pulse/would- <https://
> www.linkedin.com/pulse/would->>
> > > you-trust-your-bank-both-keys-safe-deposit-box-arshad-
> > <mailto:fido-dev%2Bunsu...@fidoalliance.org <mailto:fido-
> > > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>> <mailto:fido-
> <mailto:fido->
> > <mailto:fido- <mailto:fido->> <mailto:fido- <mailto:fido->
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>>>.
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > <https://groups.google.com/a/ <https://
> groups.google.com/a/> <https://groups.google.com/a/ <https://
> groups.google.com/a/>>>
> > > > fidoalliance.org/d/msgid/fido- <http://
> fidoalliance.org/d/msgid/fido-> <http://fidoalliance.org/d/ <http://
> fidoalliance.org/d/>
> > <mailto:fido-dev%2Bunsu...@fidoalliance.org <mailto:fido-
> > > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>>.
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > fidoalliance.org/d/msgid/fido-dev/b2f8d891- <http://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891-> <http://
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/
> b2f8d891- <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/b2f8d891->
> > <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/b2f8d891- <http://groups.google.com/a/fidoalliance.org/d/msgid/
> fido-dev/b2f8d891->>
> > > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>
> > <http://40strongkey.com <http://40strongkey.com>>>.
> dev%2Bunsu...@fidoalliance.org>.
> e478-4541-9d45-1ecca72c08a6%40strongkey.com <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0dad3819-
> e478-4541-9d45-1ecca72c08a6%40strongkey.com>.
>
NOT put the code in Github; here's why:
https://github.com/strongkey/fido2
You can find updates on the copyright infringement lawsuit at:
https://www.saverilawfirm.com/our-cases/github-copilot-intellectual-property-litigation
Arshad
On 2/16/25 6:52 AM, Pro Coder 101 wrote:
> Thanks Arshad for the idea. Gotta try to develop an open implementation
> of CTAP on a RPi Pico next weekend.
>
> Anyways if this is helpful, I have been working on an Open Source
> implementation on ARM processor (https://github.com/AdityaMitra5102/RPi-
> Security-Key>). [This is incomplete as of now just some basic stuff is
> working. Still need to implement UP, UV, error handling and stuff. And
> it doesn't use secure storage as of now.]
>
> Aditya Mitra
> CCNA, CySA+
> it doesn't use secure storage as of now.]
>
> Aditya Mitra
> CCNA, CySA+
> https://Adityamitra5102.github.io <https://Adityamitra5102.github.io>
> https://www.linkedin.com/in/AdityaMitra5102 <https://www.linkedin.com/
> in/AdityaMitra5102>
>
> https://www.linkedin.com/in/AdityaMitra5102 <https://www.linkedin.com/
> in/AdityaMitra5102>
>
> > support.google.com/accounts/answer/11350823?ctx=ep <http://
> >
> > Thank you.
> >
> > I'm curious about why you were locked out from your passkeys;
> was it
> > because of something you forgot or did not have in your
> possession, or
> > because of a malfunction at the cloud service provider's site?
> >
> > You bring up an interesting point I had not considered:
> according to
> > one
> > website (https://www.lostings.com/airport-lost-and-found/
> <https://www.lostings.com/airport-lost-and-found/> <https://
> > Thank you.
> >
> > I'm curious about why you were locked out from your passkeys;
> was it
> > because of something you forgot or did not have in your
> possession, or
> > because of a malfunction at the cloud service provider's site?
> >
> > You bring up an interesting point I had not considered:
> according to
> > one
> > website (https://www.lostings.com/airport-lost-and-found/
> > www.lostings.com/airport-lost-and-found/ <http://
> > both-keys- <https://www.linkedin.com/pulse/would-you-trust-
> your- <https://www.linkedin.com/pulse/would-you-trust-your->
> > bank-both-keys->
> > > safe-deposit-box-arshad-noor <https://
> www.linkedin.com/pulse/ <https://www.linkedin.com/pulse/>
> > would- <https://www.linkedin.com/pulse/would- <https://
> www.linkedin.com/pulse/would->>
> > > you-trust-your-bank-both-keys-safe-deposit-box-arshad-
> > > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>> <mailto:fido-
> <mailto:fido->
> > <mailto:fido- <mailto:fido->> <mailto:fido- <mailto:fido->
> <mailto:fido- <mailto:fido->>>
> > > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>
> > > <mailto:dev%2Bunsu...@fidoalliance.org
> > > > dev+uns...@fidoalliance.org
> <mailto:dev%2Bunsu...@fidoalliance.org>
> > <mailto:dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>>
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>>>.
> > > > To view this discussion visit https://
> groups.google.com/a/ <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > <https://groups.google.com/a/ <https://
> groups.google.com/a/> <https://groups.google.com/a/ <https://
> groups.google.com/a/>>>
> > > > fidoalliance.org/d/msgid/fido- <http://
> fidoalliance.org/d/msgid/fido-> <http://fidoalliance.org/d/ <http://
> fidoalliance.org/d/>
> > msgid/fido-> <http://fidoalliance.org/d/msgid/ <http://
> fidoalliance.org/d/msgid/> <http://
> > > dev%2Bunsu...@fidoalliance.org
> <mailto:dev%252Buns...@fidoalliance.org>
> > <mailto:dev%252Buns...@fidoalliance.org
> <mailto:dev%25252Bun...@fidoalliance.org>>>.
> > > To view this discussion visit https://
> groups.google.com/a/ <https://groups.google.com/a/>
> > <https://groups.google.com/a/ <https://groups.google.com/a/>>
> > > fidoalliance.org/d/msgid/fido-dev/b2f8d891- <http://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891-> <http://
> > fidoalliance.org/d/msgid/fido-dev/b2f8d891- <http://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891->>
> > > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>
> > <http://40strongkey.com <http://40strongkey.com>> <https://
> fidoalliance.org/d/msgid/fido-dev/b2f8d891->>
> > > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>
> > > groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/
> b2f8d891- <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/b2f8d891->
> > <http://groups.google.com/a/fidoalliance.org/d/msgid/fido-
> dev/b2f8d891- <http://groups.google.com/a/fidoalliance.org/d/msgid/
> fido-dev/b2f8d891->>
> > > ef70-4c31-8e05-668f861c9c3c%40strongkey.com
> <http://40strongkey.com>
> > <http://40strongkey.com <http://40strongkey.com>>>.
> > >
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org <mailto:fido-
> >
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> dev%2Bunsu...@fidoalliance.org>.
> To view this discussion visit https://groups.google.com/a/
> fidoalliance.org/d/msgid/fido-dev/0dad3819-
> e478-4541-9d45-1ecca72c08a6%40strongkey.com <https://
> groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/0dad3819-
> e478-4541-9d45-1ecca72c08a6%40strongkey.com>.
>
Mário Sousa
Feb 17, 2025, 7:04:41 AMFeb 17
to FIDO Dev (fido-dev), Arshad Noor, Mário Sousa
Thank you Arshad for your reply.
Specific to your questions, I don't believe any of the data you are
asking for, exists.
I believe RPs will discover it along the way.
Great linkedIn post, by the way—thanks for sharing!
Great linkedIn post, by the way—thanks for sharing!
Reply all
Reply to author
Forward
0 new messages