> The manager at my structural engineers can still calculate a beam size, he is better at it than his staff.
That sounds insane to me. I want my manager to be good and managing. If they are writing code, it's a misuse of their time and skills. If they are good at writing code and bad at managing, they shouldn't be a manager.
And that confuses me. There are so many posts on hn complaining about managers and the bs they bring, 1:1s you didn't ask for etc.
What does a manager even do in this world where they are non technical? I have never managed a large sw team tbf, but in smaller teams I did manage I had to do project management stuff. In my normal profession I manage a large team, but one of my big roles is being there to advise technically and make the big decisions. I can see why people find these EM jobs boring, you must have to invent things to do!
I find it strange that people use the MIT licence and then complain "big greedy corporation did not contribute back anything". Though I also agree that this leeching approach by corporations is a problem to the ecosystem. MIT just is not the right licence to fight that.
Passkeys are an antipattern in UX design. You want to make it simple for the users? Great! But stop treating them as too stupid to decide anything on their own. Stop locking them out of the decision loop and doing things behind their back. This is practically the corporate design philosophy of the past two decades. You can see this a lot in smartphone design.
I keep asking what advantages passkeys offer over TLS self-signed client certificates. I haven't got any answers so far. Perhaps increase the security by encrypting the private key with a password or an external token. This is safe, like SSH and unlike regular passwords, because no secrets are sent to the server. TLS certs and (encrypted) keys are more tangible and easier to manage.
Perhaps passkeys do offer some advantages over TLS certs. But can't those be added to TLS, rather than rollout an entirely new system? The infuriating part is that this facility exists in browsers. They just let it rot to an extend that it's practically unusable. Meanwhile, Gemini browsers are using it quite successfully (for those who use Gemini).
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.
Despite all their faults, for the average user, Passkeys are still miles ahead of GnuPG card, PIV, PKCS#15 etc.
Please check how the client certificate interface of Lagrange, the Gemini browser, works. It's nowhere as complicated as you make it out to be. No passkey interfaces I've seen is as clear as this one. It automatically provisions the certificate (optional. You can share certs among services if you prefer) and associates it with the correct service. So no complicated stuff. It prompts you at the correct time for permission in the clearest way possible. It's like an integrated password manager where your credentials are just files - sort of. That's all that a regular user needs to know about them. It can be exported, imported, backed up, synced, and what not.
Gemini strives to finish an entire request in a single transaction. So TLS certs are really the only option for authentication. That's how I learned the elegance of TLS client authentication workflow and started asking why this is so neglected in web browsers.
TLS based authentication is even worse. It’s the wrong layer in today’s Internet, given Cloudflare, load balancers etc.
Not everybody trusts whatever first hop terminates TLS to also do authentication, and it completely falls flat at non-repudiation for transaction approval.
You can't be seriously claiming that self-signed PEM certificates were working well. I've been using them for years in various contexts, and they're an absolute nightmare.
Despite all their faults, for the average user, Passkeys are still leagues ahead of GnuPG card, PIV, PKCS#15 etc.
Self-signed certificates are in the 'barely working' state. They operate on a wrong protocol level, and they can't be provisioned by the website itself.
If you try to describe how you _want_ the TLS client certificate UI to work, you'll end up with passkeys.
Okay. So they took a solution that was in a barely-working state due to their deliberate neglect, and still managed to give a bad new UX when they got the opportunity to rework it?
“All of the place” meaning where? There’s only a few places you can put them and they’re all more secure than passwords so it sounds like not a huge issue.
I don't think that's true at all. There's plenty of weird post hippies around, including Burning Man culture and the libertarian roots of a lot of the tech world.
But if you're immersed in the modern tech world, you're just ignoring all that.
My facebook page, which is where I have friended everyone I met between like 2004 and 2017 is absolute garbage.
But I have a secondary account where I follow a few specific niche groups on a specific topic that are only on facebook. This page is actually fine, and is pretty good at suggesting related pages.
Not sure what the takeaway is for facebook though.
That sounds insane to me. I want my manager to be good and managing. If they are writing code, it's a misuse of their time and skills. If they are good at writing code and bad at managing, they shouldn't be a manager.
reply