It wasn’t clear to me at first glance how the mandos server gets the approval to supply the client with its desired key, but I figured it out in the meantime: that’s done through the mandos-monitor tui. However, that doesn’t quite fit my ux-expectations. Thanks for mentioning it, though. It’s an interesting project I will keep in mind.

Sort of, but this seems a bit heavy. (That being said, I was also considering pkcs#11 on a net-hsm, which seems to do basically the same…)

Interesting, do you happen to know how this “approval” works here, concretely?

I love the simplicity of this, I really do, but I don’t consider this SSO. It may be if you’re a single user, but even then, many things I’m hosting have their own authentication layer and allow offloading only to some oidc-/oauth or ldap-provider.

Deployment of NC on kubernetes/docker (and maintenance thereof) is super scary. They copy config files around in dockerfile, e.g., it’s a hell of a mess. (And not just docker: I have one instance running on an old-fashioned webhosting with only ftp access and I have to manually edit .ini and apache config after each update since they’re being overwritten.) As the documentation of OCIS is growing and it gets more features, I might actually change even the larger instances, but for now I must consider it as not feature complete (since people have expectations from nextcloud that aren’t met by ocis and its extensions). Moreover, I have more trust in the long term openness of nextcloud as opposed to owncloud, for historical reasons.