Oh well. Bummer. / Jonas
On Tue, Dec 1, 2015 at 5:36 PM, Richard Barnes <rbar...@mozilla.com> wrote: > It's my understanding that U2F qua U2F is considered pretty much baked by > the developer community, and there's already code written to it. But these > concerns will be great for the W3C group and the successor API. I've got a > similar list started related to crypto and future-proofing. > > > On Tue, Dec 1, 2015 at 8:29 PM, Jonas Sicking <jo...@sicking.cc> wrote: >> >> Any chance that the API can be made a little more JS friendly? First >> thing that stands out is the use of success/error callbacks rather >> than the use of Promises. >> >> Also the use of numeric codes, rather than string values, is a pattern >> that the web has generally moved away from. >> >> / Jonas >> >> On Tue, Dec 1, 2015 at 5:23 PM, Richard Barnes <rbar...@mozilla.com> >> wrote: >> > The FIDO Alliance has been developing standards for hardware-based >> > authentication of users by websites [1]. Their work is getting >> > significant >> > traction, so the Mozilla Foundation has decided to join the FIDO >> > Alliance. >> > Work has begun in the W3C to create open standards using FIDO as a >> > starting >> > point. We are proposing to implement the FIDO U2F API in Firefox in its >> > current form and then track the evolving W3C standard. >> > >> > Background: The FIDO Alliance has been developing a standard for >> > hardware-based user authentication known as “Universal Two-Factor” or >> > U2F >> > [2]. This standard allows a website to verify that a user is in >> > possession >> > of a specific device by having the device sign a challenge with a >> > private >> > key that is held on the hardware device. The browser’s role is mainly >> > (1) >> > to route messages between the website and the token, and (2) to add the >> > origin of the website to the message signed by the token (so that the >> > signature is bound to the site). >> > >> > Several major websites now support U2F for authentication, including >> > Google >> > [3], Dropbox [4], and Github [5]. Axel Nennker has filed a Bugzilla bug >> > for U2F support in Gecko [6]. The W3C has begun the process of forming >> > a >> > “WebAuthentication” working group that will work on a standard for >> > enhanced >> > authentication using FIDO as a starting point [7]. >> > >> > Proposed: To implement the high-level U2F API described in the FIDO JS >> > API >> > specification, with support for the USB HID token interface. >> > >> > Please send comments on this proposal to the list no later than Monday, >> > December 14, 2015. >> > >> > ----- >> > >> > Personally, I have some reservations about implementing this, but I >> > still >> > think it’s worth doing, given the clear need for something to augment >> > passwords. >> > >> > It’s unfortunate that the initial FIDO standards were developed in a >> > closed >> > group, but there is good momentum building toward making FIDO more open. >> > I >> > have some specific concerns about the U2F API itself, but they’re >> > relatively minor. For example, the whole system is highly vertically >> > integrated, so if we want to change any part of it (e.g., to use a curve >> > other than P-256 for signatures), we’ll need to build a whole new API. >> > But >> > these are issues that can be addressed in the W3C process. >> > >> > We will continue to work on making standards for secure authentication >> > more >> > open. In the meantime, U2F is what’s here now, and there’s demonstrated >> > developer interest, so it makes sense for us to work on implementing it. >> > >> > Thanks, >> > --Richard >> > >> > [1] https://fidoalliance.org/ >> > [2] https://fidoalliance.org/specifications/download/ >> > [3] https://support.google.com/accounts/answer/6103523?hl=en >> > [4] https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/ >> > [5] >> > >> > https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication >> > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 >> > [7] http://w3c.github.io/websec/web-authentication-charter >> > _______________________________________________ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
