On Wed, Dec 2, 2015 at 1:11 PM, Frederic Martin <fredletaman...@gmail.com> wrote:
> > > There are probably other questions Mozilla Core Team should ask to > > > themselves : > > > > > > - Having a greater/larger HID Support, outside the FIDO U2F scope ? > > > (This allows web services to communicate with HID devices - i.e. > > > that's how some cryptocurrencies hardware wallets are using HID > > > Chrome interface) > > > > > > > Are you thinking of something like WebUSB? > > (https://reillyeon.github.io/webusb/)? This is something we've looked at > > a bit but we're still trying to wrap our heads around the security > > implications. > > No. I am thinking about something like: > https://developer.chrome.com/apps/hid > but that's outside the pure FIDO U2F scope: it is a reminder that Chrome > already allows wep pages/JS to communicate with HID non-U2F device and > that Mozilla will have to chose on their side if the HID API will be > restricted to U2F usage or not. I believe the plan is to have that be the case for now. > > > - Have TLS Channel ID Binding support. (Oh, this is really important) > > > When you'll check FIDO U2F specifications, you'll see that TLS Channel > > > ID Binding is an important part of the security against attacks like > > > SSL Proxy and similar MITM attacks. This part is not mandatory. But > > > Google servers are using this and Chrome supports it. So... please > > > REALLY consider implementing it: it will bring higher security and > > > probably will give a chance too in the future to be accepted as a > > > supported browser on Google servers (I am not from Google so I can't > > > speak on their behalf but this should be a rational requirements > there). > > > This is the only way to provide a full anti-phishing solution. > > > > > > > My understanding is that Channel ID is being superseded by token binding > > (https://datatracker.ietf.org/wg/tokbind/charter/), so if we do > > something in this area, it's more likely we would do token binding > > than channel ID, > > I expect. > > Hi, I don't think this is exactly something that you can freely chose... > As you read FIDO U2F specifications, you'll see that added security is > provided by TLS channel binding. > > Search "Channel Binding" inside > > https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-glossary.html > and again here > > https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-security-ref.html I know what Channel Bindings are, but they're different from Channel ID (though Channel ID *uses* Channel Bindings). But as I said, Channel ID is Google-specific sauce. The IETF token binding working group (https://datatracker.ietf.org/wg/tokbind/charter/) is standardizing the next generation of this technology. Given that, my instinct is to wait for the standard. -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform