Hi J.C.! Thanks for your extensive answer! Seems like there is a lot of progress going on that wasn't immediately obvious from bugzilla. I am looking forward to seeing this land.
Thank you, Tom On Wed, Apr 12, 2017 at 2:46 AM, J.C. Jones <j...@mozilla.com> wrote: > Tom, > > We're making progress on supporting the USB U2F HID token attestation > format; before the actual U2F/HID code starts appearing in-tree, there's > had to be some refactoring to handle things in a proper asynchronous way -- > which is nearing review. > > I'm working on that USB U2F support for OSX right now; Linux support is > also looking pretty OK, and we're planning to get Windows this quarter, too. > > Independently, we're waiting on updating our Web Authentication > implementation from the WD-02 version currently in-tree, expecting a > significant refactor to happen aligning the way you use Web Authentication > with the W3C Credential Management specification. There's ongoing > discussion [1] and currently one pull request [2] to do that. That's > primarily why we haven't moved forward to the WD-04 draft yet - and we're > working on the HID support. > > That said, we're still planning on exposing the USB U2F security key-type > devices only through the W3C Web Authentication API by default -- the older > FIDO U2F API that is currently hidden behind the `security.webauth.u2f` > preference [3] we're currently planning to keep hidden. It doesn't > implement the "Low-level MessagePort API", which makes a some sites that > depend on Chrome's u2f-api.js behave oddly. > > > [1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html > [2] https://github.com/w3c/webauthn/pull/384 > [3] (and also the `security.webauth.u2f_enable_softtoken` preference, > since there's no USB support in-tree yet) > > Cheers, > J.C. > > On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster <t...@schuster.me> wrote: > >> So what's our status with regards to implementing FIDO u2f? I really would >> like to use my security key natively in Firefox. >> >> Best, >> Tom >> >> On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren < >> anders.rundgren....@gmail.com> wrote: >> >> > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: >> > > Anders, >> > > >> > > The first target I'm working on is Desktop, though I've plans in 2017 >> to >> > > support WebAuthn on Android and iOS [1], too. WebAuthn already has >> > > definitions suitable for Android's Key Attestation [2] and SafetyNet >> > > formats [3], so they'll need implementations that tie into the >> > > dom::WebAuthentication class. >> > >> > That's great news! >> > >> > Regards, >> > Anders >> > >> > > >> > > Cheers, >> > > J.C. >> > > >> > > [1] https://wiki.mozilla.org/Security/CryptoEngineering# >> > Web_Authentication >> > > [2] https://w3c.github.io/webauthn/#android-key-attestation >> > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation >> > > >> > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < >> > > anders.rundgren....@gmail.com> wrote: >> > > >> > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren >> > wrote: >> > > > > It is a pity that external tokens have become the >> > > > > focus when the majority will rather rely on embedded >> > > > > security solutions which nowadays is a standard feature >> > > > > in Android and Windows platforms. >> > > > >> > > > Slight clarification to the above: The IoT folks pretty much build >> > 100% on >> > > > embedded security with car-keys as an obvious exception. >> > > > >> > > > On mobile I would say that over 99% of all existing security >> solutions >> > > > based on cryptographic keys are relying on embedded (or "App level") >> > keys >> > > > with Apple Pay as the most advanced example. >> > > > >> > > > That is, the token vendors and security folks do not represent the >> > actual >> > > > market comprising of end-users and service providers. >> > > > >> > > > Maybe this is a project primarily targeting the desktop? >> > > > _______________________________________________ >> > > > dev-platform mailing list >> > > > dev-platform@lists.mozilla.org >> > > > https://lists.mozilla.org/listinfo/dev-platform >> > > > >> > >> > _______________________________________________ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform