On Wednesday, December 2, 2015 at 3:08:44 PM UTC-8, Frederic Martin wrote: > Sorry, but I don't understand why you are denying the evidence, anyone > at Fido alliance will confirm that even non-public FIDO 2 drafts are far > far far from finished. Regarding the glimpse that was published in W3c > website, this is even more flagrant.
So, apologies that I misunderstood your bone of contention with the 2.0 part, which Boris clarified. That said, I think we're in violent agreement that the specs are far, far, far from finished - and I'm unclear whether we're in agreement that one is under active development, while the other is a technological dead end which, through a series of unfortunate events, happened to have been launched beyond the scope of a few limited sites. > Are you following the Fido Alliance on going work? there are tons of > things that are currently discussed without even an agenda. And I don't even > speak about the authenticator side, there is no information/specifications at > all for that. To an extent my sanity permits, yes. > Please focus on existing full specifications with existing services and > products : FIDO U2F. The problem is that U2F represents a dead-end of sorts. It, along with FIDO UAF, tried to provision high-level APIs for two very disjoint use cases. The FIDO 2.0 work tries to embrace the extensiblewebmanifesto portion by providing the common low-level primitives shared by UAF/U2F, so that appropriate high level APIs can be built atop the low-level communication mechanism. Yes, there are sites that support and use the U2F high-level API, and yes, unfortunately Chrome ships a built-in extension that is automatically granted sufficient privileges to polyfill that high-level API atop our (extension-only) USB HID API, allowing the extension to inject into sites and transparently add support 'as if' it was implemented through the standard Chrome feature process, but unfortunately bypassing it, and thus suffering many of the known issues with implementing and shipping specs before consensus - such as ossification due to premature deployment. However, the U2F API inherently is something that will be replaced in the future - it will presumably be supplanted with the FIDO 2.0 API low-level primitives, for which there can then be 'many' high-level polyfill APIs implemented through support libraries independent of the UA, perhaps 'some' of which will be standardized, as such extensiblewebmanifesto-y things go. This was captured by threads like https://groups.google.com/a/fidoalliance.org/d/msg/fido-dev/zvS9BM8HXLQ/4GmJaSTTSN4J and such. I think we'd also all agree that supporting a "U2F 1.0 API, U2F 1.1 API, UAF 1.0 API, and FIDO 2.0 API" all within a browser is also... non-ideal. That's why I was trying to get clarification about both the short- and long-term commitments of the Firefox folks, while we try to get things clarified on the Chrome side. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
