Le lundi 9 novembre 2015 18:29:20 UTC+1, Michael Schwartz (m...@gluu.org) a écrit : > Hi guys... if you need a FIDO U2F server to test against, the Gluu Server has > endpoints built in. Its really easy to deploy on Ubuntu / Centos: > http://www.gluu.org/docs/admin-guide/deployment/ > > Also, I recorded a geeky video on how to test FIDO U2F: > http://gluu.co/fido-u2f > > Basically, check enable, change the default authn mechanism... and you're > done. Its really easy. > > - Mike
Hi, you did an amazing work with Gluu (insert bowing smiley here). FIDO U2F kind of recommends to use TLS Channel binding as a protection against SSL proxy and other MITM attacks. Chrome FIDO U2F client part is compatible with this but it can only be used if the server side is implemented, do Gluu support that ? Search "Channel Binding" inside https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-glossary.html and again here https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-security-ref.html That's a great -nearly perfect- existing solution, and IMHO Firefox should probably implement this feature too for better security and for better compatibility with servers that are implementing the server side (like google servers). http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 http://www.ietf.org/rfc/rfc5056.txt http://www.ietf.org/rfc/rfc5929.txt _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
