Re: Enabled CRLite in Nightly

2020-11-18 Thread J.C. Jones
be downloaded again. Perhaps we should go ahead and experiment with these two features in Fenix Nightly. J.C. On Tue, Nov 17, 2020 at 12:19 AM Henri Sivonen wrote: > On Fri, Nov 13, 2020 at 6:19 AM J.C. Jones wrote: > > Not yet, no. Neither this nor Intermediate Preloading (whi

Re: Enabled CRLite in Nightly

2020-11-12 Thread J.C. Jones
gt; It's taken a lot of effort, but it's definitely worth it. > > On Thu, Nov 12, 2020 at 8:08 AM J.C. Jones wrote: > > > > > > CRLite ships compressed revocation information for the public Web to > > > Firefox users, four times a day. We have a blogpost series on

Enabled CRLite in Nightly

2020-11-11 Thread J.C. Jones
CRLite ships compressed revocation information for the public Web to Firefox users, four times a day. We have a blogpost series on CRLite at the Security Blog (with another post coming later this month), there’s additional information at Github

Re: Proposed W3C Charter: Web Authentication Working Group

2019-09-20 Thread J.C. Jones
The additional time for the WebAuthn working group is overall good and worth supporting. The bulk of the additional work to be done is focused on improving the ergonomics of the existing Level 1 spec, both for developers and for individuals using the capabilities within their lives. On Wed, Sep

Re: Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts

2019-06-05 Thread J.C. Jones
In short, no. I believe not implementing the facet algorithm is a feature. I recommend migrating to Web Authentication as soon as practical. I will also point to a post on blink-dev from Adam Langely calling for websites targeting Chrome to migrate to WebAuthn:

Intent-to-Unship: DH algorithm support for WebCrypto

2019-03-29 Thread J.C. Jones
Our WebCrypto implementation supports using DH as an algorithm in generateKey, which is not one of the recognized algorithms in the published specification [0]. It doesn't even appear on MDN [2]. I intend to remove it from Firefox. However, before I do that, I am landing telemetry [1] to

Re: Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts

2019-03-26 Thread J.C. Jones
.com/grantila/u2f-api the mentioned Google-supplied > polyfill called u2f-api.js? > > On Thu, Mar 21, 2019 at 3:08 PM Henri Sivonen > wrote: > > > On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones wrote: > > > It appears that if we want full security key support for Google >

Re: Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts

2019-03-26 Thread J.C. Jones
(Sorry for the delay in replying, had a long-weekend of PTO there) On Thu, Mar 21, 2019 at 7:08 AM Henri Sivonen wrote: > On Thu, Mar 14, 2019 at 8:12 PM J.C. Jones wrote: > > It appears that if we want full security key support for Google > > Accounts in Firefox in the nea

Intent-to-Ship: Backward-Compatibility FIDO U2F support for Google Accounts

2019-03-14 Thread J.C. Jones
Web Authentication (WebAuthn) is our best technical response to phishing, which is why we’ve championed it as a technology. All major browsers either support it already, or have their support in-progress, yet adoption by websites has been slow. The deprecated Javascript API that WebAuthn replaces,

Re: Intermediate CA Preloading is enabled for desktop Nightly users

2019-03-14 Thread J.C. Jones
> > On Wed, Mar 13, 2019 at 2:23 PM J.C. Jones wrote: > >> Tom, >> >> Kinto provides the whole list of metadata to clients as soon as it syncs >> [1]. The metadata uses the Kinto attachment >> <https://github.com/Kinto/kinto-attachment> mechanism t

Re: Intermediate CA Preloading is enabled for desktop Nightly users

2019-03-13 Thread J.C. Jones
idn't seem worth it for the experimental phase. Thanks! [1] https://settings.prod.mozaws.net/v1/buckets/security-state/collections/intermediates/records On Wed, Mar 13, 2019 at 10:22 AM Tom Ritter wrote: > How does kinto know which certificates you yet need to download? > > On Fri, Mar 8, 2019,

Intermediate CA Preloading is enabled for desktop Nightly users

2019-03-08 Thread J.C. Jones
# tl;dr # At the end of February I enabled Intermediate CA Preloading for all desktop Nightly users to begin gathering telemetry. This means all intermediate CAs disclosed to Mozilla will be pre-loaded into profiles, so the common secure website misconfiguration of forgetting this certificate

Re: W3C Proposed Recommendation: Web Authentication

2019-02-08 Thread J.C. Jones
Out of all multi-factor authentication solutions I know of, Web Authentication is our best technical response to the scourge of phishing. Tying public-key cryptography into web logins, it dramatically raises the bar for phishing: From a simple confusable website and replay attack, to an HTTPS

Re: Moving reviews to Phabricator

2019-02-08 Thread J.C. Jones
The NSS team still uplifts from https://hg.mozilla.org/projects/nss/ into m-c a few times per week (or as needed) using inbound

Re: Intent to Ship - Support already-enrolled U2F devices with Google Accounts for Web Authentication

2018-02-06 Thread J.C. Jones
tps://bugzilla.mozilla.org/show_bug.cgi?id=1436078> for this work. On Fri, Feb 2, 2018 at 1:20 AM, Henri Sivonen <hsivo...@hsivonen.fi> wrote: > On Tue, Jan 30, 2018 at 6:49 PM, J.C. Jones <j...@mozilla.com> wrote: > > I also recognize that Google > > Accounts is t

Re: Intent to Ship - Support already-enrolled U2F devices with Google Accounts for Web Authentication

2018-01-30 Thread J.C. Jones
February 2020 instead? On Tue, Jan 30, 2018 at 11:12 AM, Eric Rescorla <e...@rtfm.com> wrote: > > > On Tue, Jan 30, 2018 at 8:49 AM, J.C. Jones <j...@mozilla.com> wrote: > >> Summary: Support already-enrolled U2F devices with Google Accounts for Web >> Aut

Intent to Ship - Support already-enrolled U2F devices with Google Accounts for Web Authentication

2018-01-30 Thread J.C. Jones
/; https://webauthn.bin.coffee/; https://webauthndemo.appspot.com/; Web Platform Tests in-progress Cheers, J.C. Jones and Tim Taubert [1] https://groups.google.com/d/msg/mozilla.dev.platform/tsevyqfBHLE/lccldWNNBwAJ [2] https://w3c.github.io/webauthn/#sctn-appid-extension and https

Re: u2f

2018-01-30 Thread J.C. Jones
277> to collect information on Linux dependencies for the Firefox 60 release notes. Let's take the analysis there for anyone up for helping us pin this down. Thanks! J.C. On Mon, Jan 29, 2018 at 4:25 PM, Kurt Roeckx <k...@roeckx.be> wrote: > On Mon, Jan 29, 2018 at 09:36:15AM -0700, J

Re: u2f

2018-01-29 Thread J.C. Jones
Our U2F support is incomplete, due to complexities with and ambiguities related to the algorithm U2F uses to bypass the single-origin security policy. I chose not to spend the time to implement that in favor of Web Authentication. The only big U2F property I am familiar with that our support

Re: Intent to Ship: Web Authentication

2017-12-06 Thread J.C. Jones
On Wed, Dec 6, 2017 at 10:24 AM, James Graham wrote: > Are the web-platform-tests going to be done before we ship? > I hope so, though as-of-now no one from Mozilla is contributing to the web-platform-tests [1]. Originally some FIDO Alliance-associated folk were going to

Intent to Ship: Web Authentication

2017-12-05 Thread J.C. Jones
: No public announcements Testing: Mochitests in-tree; https://webauthn.io/; https://webauthn.bin.coffee/ ; Web Platform Tests in-progress Cheers, J.C. Jones and Tim Taubert [1] https://www.chromestatus.com/feature/5669923372138496 [2] https://msdn.microsoft.com/en-us/library/mt697638(v=vs.85).aspx

Re: Intent to implement and ship: Web Authentication

2017-04-11 Thread J.C. Jones
Tom, We're making progress on supporting the USB U2F HID token attestation format; before the actual U2F/HID code starts appearing in-tree, there's had to be some refactoring to handle things in a proper asynchronous way -- which is nearing review. I'm working on that USB U2F support for OSX

Re: Intent to implement and ship: Web Authentication

2016-12-02 Thread J.C. Jones
Anders, The first target I'm working on is Desktop, though I've plans in 2017 to support WebAuthn on Android and iOS [1], too. WebAuthn already has definitions suitable for Android's Key Attestation [2] and SafetyNet formats [3], so they'll need implementations that tie into the

Fwd: Intent to implement and ship: Web Authentication

2016-11-15 Thread J.C. Jones
Apologies, this got caught in a filter. Re-sending for posterity on the list. -- Forwarded message -- From: J.C. Jones Date: Tue, Nov 15, 2016 at 12:01 PM Subject: Re: Intent to implement and ship: Web Authentication To: berniepa...@gmail.com Cc: dev-platform@lists.mozilla.org

Re: Intent to implement and ship: Web Authentication

2016-11-14 Thread J.C. Jones
Bernie, You're right that the current WD does not contain the "U2F HID token" attestation format, but the WG is _intending_ to add it [1] -- and support for such devices -- in Working Draft 4 [2] as soon as a larger in-document refactor is complete. I won't guarantee success at this point, but I

Intent to implement and ship: Web Authentication

2016-11-11 Thread J.C. Jones
The W3C Web Authentication Working Group [1] was formed to produce a browser-facing standard for using strong, cryptographic scoped credentials to authenticate to web applications in an un-phishable way. The Working Group began working from specifications produced by the FIDO Alliance, but through

Re: Intent to implement and ship: FIDO U2F API

2016-02-04 Thread J.C. Jones
All, We're making progress on implementing FIDO U2F in Firefox. The effort is split into a number of bugs at present. First, a quick rundown of where we are: * The tracking bug for U2F support is Bug 1065729. * Bug 1198330 is to implement USB HID support in Firefox. * Bug 1231681 implements the