On 25 March 2016 at 18:07, elijah <[email protected]> wrote: > On 03/25/2016 05:33 AM, Tom Ritter wrote: > >> In the web browser context, I'm pretty sure you don't control the app >> id - it's determined from the origin in the web browser and passed to >> the dongle. If you could control it, it would be trivial to do >> cooperative cross-origin tracking. > > I think that is correct, although I am puzzled why the javascript API > lets you specify the app id.
You can either specify your origin (this is checked by the extension/browser, I assume!), or alternatively a URI that can be HTTP GET'd to yield a list of equivalent origins and identities of native apps that are allowed to claim the same appId. > Regardless, I mostly have in mind non-browser applications (Soledad is > currently written in Python). > > To the question of why not just use random seed stored on a thumb drive? > In summary: Some more things in this vein: * U2F devices are typically harder to duplicate. This isn't a fundamental part of U2F, but the devices I've seen so far are either just USB-connected smartcards (Plug-Up) or have smartcard-class microcontrollers inside (Yubico). * Plugging a USB stick into a modern computer will transfer unpredictable amounts of the USB drive's contents. Like in the page cache, search indices, backup systems, etc. Cheers, Joe _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
