I'm no longer directly involved with the FIDO Alliance, so I can't speak to the FIDO 2.0 timelines, but my general experience there plus at the W3C tells me that it will some time before the new APIs stabilize. I hope that this won't dissuade Mozilla from beginning work on implementing U2F more-or-less immediately.
1) Much of the work involved is in building the USB transports (the crypto is rather simple) and that code will likely be highly reusable for 2.0 APIs. 2) There is a growing set of services adopting U2F today, a robust and competitive market for the hardware, and Firefox support would be a important contributor to "critical mass" for the FIDO approach, regardless of the particular version. A privacy-friendly, strong and origin-bound authentication mechanism, based on open protocols, with hardware chosen by the user, seems to fit very well within the general values and vision of Mozilla. I think it is valuable to give it momentum at a time when alternative approaches that don't respect user privacy or the web security model in the same way are being heavily pushed. 3) I think it would be OK to leave out Channel ID support as the approach is clearly being deprecated and it represents only a tiny fraction of the value provided by U2F. cheers, Brad Hill _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
