It is a pity that external tokens have become the focus when the majority will rather rely on embedded security solutions which nowadays is a standard feature in Android and Windows platforms.
On Tuesday, November 15, 2016 at 8:47:49 PM UTC+1, JC Jones wrote: > Apologies, this got caught in a filter. Re-sending for posterity on the > list. > ---------- Forwarded message ---------- > From: J.C. Jones > Date: Tue, Nov 15, 2016 at 12:01 PM > Subject: Re: Intent to implement and ship: Web Authentication > To: berniepa...@gmail.com > Cc: dev-platform@lists.mozilla.org > > > Hey Bernie, > > That's one possibility, but I expect WebAuthn to support the U2F > attestation payloads in its MakeCredential and GetAssertion calls, and then > Firefox will implement the U2F HID protocol initially rather than jumping > to CTAP v1.1. > > Cheers, > J.C. > > On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote: > > > Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > > > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > > > Bernie, > > > > > > > > You're right that the current WD does not contain the "U2F HID token" > > > > attestation format, but the WG is _intending_ to add it [1] -- and > > support > > > > for such devices -- in Working Draft 4 [2] as soon as a larger > > in-document > > > > refactor is complete. > > > > > > > > I won't guarantee success at this point, but I believe it likely that > > > > WebAuthn will ultimately support most fielded U2F HID-compliant > > devices. > > > > > > > > [1] https://github.com/w3c/webauthn/issues/214 > > > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > > > > > Cheers! > > > > J.C. > > > > > > > > > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > > > The W3C Web Authentication Working Group [1] was formed to produce > > a > > > > > > browser-facing standard for using strong, cryptographic scoped > > > > > credentials > > > > > > to authenticate to web applications in an un-phishable way. The > > Working > > > > > > Group began working from specifications produced by the FIDO > > Alliance, > > > > > but > > > > > > through the W3C process ensured there was a web-focus to the final > > > > > result. > > > > > > > > > > > > We have been tracking the Web Authentication standard since last > > year’s > > > > > > FIDO U2F announcement [2], and we believe Web Authentication > > provides a > > > > > > valuable augmentation to web application security in an inclusive > > way. We > > > > > > are proposing to implement the current draft specification for Web > > > > > > Authentication [3], and then track the evolution through to its > > final > > > > > > Recommendation state. > > > > > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to > > support > > > > > the > > > > > > work of providing augmented security to user logins across the > > Web. We > > > > > > encouraged FIDO to evolve their browser specifications within the > > W3C, to > > > > > > enable larger community involvement than simply Alliance members. > > This > > > > > > specification is a result of that wider effort. > > > > > > > > > > > > Web Authentication defines a way to use credentials from a secure > > element > > > > > > to authenticate to web applications using public key cryptography. > > As > > > > > with > > > > > > FIDO U2F, the browser’s role is mainly to provide the interface > > between > > > > > the > > > > > > secure element (such as a USB dongle) and the web application, and > > to > > > > > > enforce a scoped security model to bind the resulting attestation > > to the > > > > > > specific web application. > > > > > > > > > > > > Web Authentication support is currently in development for > > Microsoft Edge > > > > > > [4] [5]. Google Chrome’s support is also in-development. Several > > > > > websites > > > > > > have deployed support for U2F, the predecessor to WebAuthn, > > including > > > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F > > devices in > > > > > use > > > > > > today which will function with the Web Authentication API. > > > > > > > > > > > > Proposed: To implement the Web Authentication API, with support > > for the > > > > > USB > > > > > > U2F HID token attestation format. > > > > > > > > > > > > Please send comments on this proposal to the list no later than 21 > > > > > November > > > > > > 2016. > > > > > > > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6Pw > > LOtBYrG.97 > > > > > > > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > > > > platform/status/ > > > > > > webauthenticationapi/?q=webauth > > > > > > > > > > > > - J.C., Crypto Engineering > > > > > > > > > > Hi, > > > > > > > > > > the company I am working for is a small member of the the FIDO > > alliance. > > > > > We are offering our own U2F USB HID tokens (and soon U2F BLE > > devices...) > > > > > > > > > > As far as I know, there are still several debates inside the > > Alliance but > > > > > until recently it was never clearly stated that present U2F > > tokens/devices > > > > > will be compatible with the next W3C WebAuthN (I rather understood > > the > > > > > contrary as thre was nothing about this point inside the public w3C > > drafts) > > > > > > > > > > So, do you have new/other information to back your proposition : > > > > > "Proposed: To implement the Web Authentication API, with support for > > the > > > > > USB > > > > > U2F HID token attestation format." > > > > > > > > > > Did I miss something ? (that's possible, communication is kind of > > messy > > > > > inside the Alliance...) > > > > > _______________________________________________ > > > > > dev-platform mailing list > > > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > > > > hi JC, > > > > > > I just realize that your are jcj_moz inside webauthn minutes I am > > reading every weeks. I followed parts of the debates about CTAP, U2F > > attestation... and how it appears and disappears on main w3c drafts... I > > even read > > > https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO- > > COMPLETE-v2.0-rd-20161004.pdf > > > and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID > > and BT... (I ammmm goingggg slightllyyy maaaad) > > > > > > Since you seem to a better perspective on these points, would you be > > kind enough to explain how U2F will be dealt with to be compatible with > > WebAuthN architecture ? Thanx ! > > > > oh I got it now... it seems there was a change of direction in CTAP 1.1 to > > be now compatible with U2F... so regarding CTAP 1.1 (and not CTAP 2.0), > > CTAP HID <=> U2F USB, CTAP NFC <=> U2F NFC and CTAP BT <=> U2F BT... > > > > and "Channel ID" MITM protection is now replaced by "Token Binding ID" but > > it should stay compatible too... > > > > So now, you'll have to finalize CTAP 1.1 (and U2F BT by the way) > > > > Am I correct on this ? > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform