Hi All, great news ! TL;DR version: --------------
I love U2F, I love Firefox FIDO U2F is here to stay. FIDO 2.0 do not exist and will not replace U2F. FIDO U2F is really great. Please implement FIDO U2F. Please please please implement TLS Channel ID Binding support (important part of FIDO U2F specifications, but not mandatory) Please consider larger HID support (as in Chrome). Full version: ------------- As you may know, we are several people to push for Firefox FIDO U2F support (https://bugzilla.mozilla.org/show_bug.cgi?id=1065729) I joined the Bounty source initiative and was following the recent Firefox U2F support made through the small firefox extension... (it works even if there is no TLS Channel ID Binding protection, see below about that) I am a Mozilla supporter for many many years and I work as a security architect inside a small company manufacturing FIDO U2F USB products... so this is the kind of discussion I was dreaming of :) > If it cheers you up any, the 2.0 API that replaces the U2F API uses > promises - http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/ > Richard, it would help if you could clarify - are you proposing that > Firefox implement the 'old and deprecated' U2F API [1], or the 'fresh > and new and hoping to be standards track' W3C member submission API [2]. Let's be clear with some real information here: - FIDO 2.0 will not replace FIDO U2F - There will probably not be any kind of FIDO U2F 2.0 inside FIDO 2.0 - FIDO 2.0 has no goal to be compatible with FIDO U2F (and won't be) - FIDO U2F is already here and here to stay. It is a great WORKING solution: a secure second factor for strong web authentication through a simple HID based API. - There is alrady plenty of FIDO U2F related source code available to help people building great solutions (Chromium client source code, Google JS library source code and different Java/PHP server code) - Nearly all FIDO U2F products have really secure architectures (for example, nearly every products are using secure elements / smart cards components, even if not mandatory, that's great) - FIDO U2F over NFC and BLE specifications are currently being finalized, so there will be flexibility to cover mobile platforms. - FIDO 2.0 W3c submission have no real details regarding technical implementation because FIDO 2 is only for now a very confusing draft and there are lots of pressure to forget desktop based authentication, to forget to use hardware with secure elements and several other strange things you'll have to discover by yourself... Please do not put too many hopes into FIDO 2.0 (that's really not important) > I originally wanted to reply with 'good news' [...] > [...] put Firefox in this position of "old and busted" and > "new hotness", with "damned either way" as the result. I'm trying to > find out more about this, as well as Chrome and Chromium's future > commitments regarding this API. So, U2F is not old and busted, U2F is working and kicks ass :) Google contributions to the specs and the Alliance were amazing. And this is a real open standard, with real standard crypto. - More and more services are directly adopting U2F. - Federated Identity providers / web SSO solutions are adopting it. - Firefox MUST adopt it :) > That said, knowing full well that the FIDO Alliance intends the W3C > member submission to the path forward, could you provide greater clarity: > 1) What it is you intend to implement? > 2) If you intend to implement [1], whether or not you'll unship that > if/as/when [2] progresses? > > [1] > https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html > [2] http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/ So, let's forget about 2 for now, it is not a real thing... and well.. let's forget it. (If you read both specs you should see real differences and problems...) There are probably other questions Mozilla Core Team should ask to themselves : - Having a greater/larger HID Support, outside the FIDO U2F scope ? (This allows web services to communicate with HID devices - i.e. that's how some cryptocurrencies hardware wallets are using HID Chrome interface) - Have TLS Channel ID Binding support. (Oh, this is really important) When you'll check FIDO U2F specifications, you'll see that TLS Channel ID Binding is an important part of the security against attacks like SSL Proxy and similar MITM attacks. This part is not mandatory. But Google servers are using this and Chrome supports it. So... please REALLY consider implementing it: it will bring higher security and probably will give a chance too in the future to be accepted as a supported browser on Google servers (I am not from Google so I can't speak on their behalf but this should be a rational requirements there). This is the only way to provide a full anti-phishing solution. By the way, thanx for all the work and recent contributions to this subject ! FIDO U2F rules ! Mozilla/Firefox Rules ! Let's make them rule together :) Regards -- Frédéric _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
