Re: Intent to implement and ship: FIDO U2F API

By the way, I just got informed (from Google) that TLS Channel ID, even if activated on Google servers (including appspot), is only enforced for few users for now (even If I am not sure how they do that :) ) So Firefox users should not be blocked for that reason :) They seem to agree you

Re: Intent to implement and ship: FIDO U2F API

Hi, Great news about you making progress on this ! Since I read here and there that you are working with Firefox & Chrome U2F support consistency in mind, what's your take on TLS Channel ID (Token Binding) support inside Firefox ? It is a recommended feature for FIDO U2F client (Firefox here)

Re: Intent to implement and ship: FIDO U2F API

On Fri, Feb 5, 2016 at 3:22 PM, Fred Le Tamanoir wrote: > Hi, > > Great news about you making progress on this ! > > Since I read here and there that you are working with Firefox & Chrome U2F > support consistency in mind, what's your take on TLS Channel ID (Token >

Re: Intent to implement and ship: FIDO U2F API

On Monday, February 8, 2016 at 10:54:36 PM UTC+1, Ryan Sleevi wrote: > On Mon, Feb 8, 2016 at 1:13 PM, Frederic Martin wrote: > > > > 1) From a security architect perspective. This is an official > > recommendation that makes sens to prevent MITM attacks. FIDO U2F was > > created to

Re: Intent to implement and ship: FIDO U2F API

Hi, thanx for the answer. Quoting Dirk Balfanz (one of the TLS Channel ID specifications author, a few days ago on FIDO DEV forum): "the new spec that replaces ChannelID is called "Token Binding", and is in the process of being standardized by the IETF

Re: Intent to implement and ship: FIDO U2F API

On Mon, Feb 8, 2016 at 1:13 PM, Frederic Martin wrote: > > 1) From a security architect perspective. This is an official recommendation > that makes sens to prevent MITM attacks. FIDO U2F was created to > minimize/eliminate that kind of risk. U2F itself addresses phishing. Token Binding

Re: Intent to implement and ship: FIDO U2F API

On Mon, Feb 8, 2016 at 10:13 PM, Frederic Martin wrote: > Hi, > > thanx for the answer. > > Quoting Dirk Balfanz (one of the TLS Channel ID specifications author, a > few days ago on FIDO DEV forum): > > "the new spec that replaces ChannelID is called "Token Binding",

Re: Intent to implement and ship: FIDO U2F API

All, We're making progress on implementing FIDO U2F in Firefox. The effort is split into a number of bugs at present. First, a quick rundown of where we are: * The tracking bug for U2F support is Bug 1065729. * Bug 1198330 is to implement USB HID support in Firefox. * Bug 1231681 implements the

Re: Intent to implement and ship: FIDO U2F API

On Wednesday, December 2, 2015 at 2:23:28 AM UTC+1, Richard Barnes wrote: > The FIDO Alliance has been developing standards for hardware-based > authentication of users by websites [1]. Their work is getting significant > traction, so the Mozilla Foundation has decided to join the FIDO Alliance.

Re: Intent to implement and ship: FIDO U2F API

I'm no longer directly involved with the FIDO Alliance, so I can't speak to the FIDO 2.0 timelines, but my general experience there plus at the W3C tells me that it will some time before the new APIs stabilize. I hope that this won't dissuade Mozilla from beginning work on implementing U2F

Re: Intent to implement and ship: FIDO U2F API

On 12/04/2015 06:56 PM, smaug wrote: Looks like the spec could be made implementable by fixing https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api "provide a namespace object u2f of the following interface" doesn't mean

Re: Intent to implement and ship: FIDO U2F API

Looks like the spec could be made implementable by fixing https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api "provide a namespace object u2f of the following interface" doesn't mean anything, so either there is supposed

Re: Intent to implement and ship: FIDO U2F API

On 12/02/2015 11:37 PM, Frederic Martin wrote: As I said in the other email, I don't understand how this could be implemented when the spec has left the >key piece undefined, as far as I see. You are completely right ! For now, FIDO 2 is currently being written (far far far from finished)

Re: Intent to implement and ship: FIDO U2F API

On Wed, Dec 2, 2015 at 12:25 AM, wrote: > On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote: > > Oh well. Bummer. > > > > / Jonas > > If it cheers you up any, the 2.0 API that replaces the U2F API uses > promises -

Re: Intent to implement and ship: FIDO U2F API

Hi All, great news ! TL;DR version: -- I love U2F, I love Firefox FIDO U2F is here to stay. FIDO 2.0 do not exist and will not replace U2F. FIDO U2F is really great. Please implement FIDO U2F. Please please please implement TLS Channel ID Binding support (important part of FIDO U2F

Re: Intent to implement and ship: FIDO U2F API

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/02/2015 03:48 PM, Richard Barnes wrote: > I think we would treat this just like we treat other early-stage > things that get shipped, gradually turning it off when the real > thing shows up. That would mean only shipping it on Nightly and maybe

Re: Intent to implement and ship: FIDO U2F API

On 12/2/15 8:53 AM, Ms2ger wrote: I don't remember what the current conventional wisdom about prefixing is, but I would be open to shipping with a prefix if people thought that would ease pain in the eventual transition. No. Nonononononononono. This is the conventional wisdom. Prefixes end

Re: Intent to implement and ship: FIDO U2F API

On 02.12.2015 18:53, Robert O'Callahan wrote: > On Wed, Dec 2, 2015 at 9:37 AM, Eric Rescorla wrote: > >> Are you thinking of something like WebUSB? >> (https://reillyeon.github.io/webusb/)? This is something we've looked at >> a bit but we're still trying to wrap our heads around

Re: Intent to implement and ship: FIDO U2F API

On Wed, Dec 2, 2015 at 9:53 AM, Robert O'Callahan wrote: > On Wed, Dec 2, 2015 at 9:37 AM, Eric Rescorla wrote: > >> Are you thinking of something like WebUSB? >> (https://reillyeon.github.io/webusb/)? This is something we've looked at >> a bit but we're

Re: Intent to implement and ship: FIDO U2F API

On 2015-12-02 9:48 AM, Richard Barnes wrote: On Wed, Dec 2, 2015 at 12:25 AM, wrote: On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote: Oh well. Bummer. / Jonas If it cheers you up any, the 2.0 API that replaces the U2F API uses promises -

Re: Intent to implement and ship: FIDO U2F API

On Wednesday, December 2, 2015 at 1:17:46 PM UTC-8, smaug wrote: > I don't understand how 1) could be implemented when the spec has left the key > piece undefined, as far as I see. > As the spec puts it "This specification does not describe how such a port is > made available to RP web pages, as

Re: Intent to implement and ship: FIDO U2F API

On 12/02/2015 03:23 AM, Richard Barnes wrote: The FIDO Alliance has been developing standards for hardware-based authentication of users by websites [1]. Their work is getting significant traction, so the Mozilla Foundation has decided to join the FIDO Alliance. Work has begun in the W3C to

Re: Intent to implement and ship: FIDO U2F API

>As I said in the other email, >I don't understand how this could be implemented when the spec has left the >>key piece undefined, as far as I see. You are completely right ! For now, FIDO 2 is currently being written (far far far from finished) and can't be implemented, so let's focus on

Re: Intent to implement and ship: FIDO U2F API

On 12/2/15 6:48 AM, Richard Barnes wrote: My initial intent was to propose implementing [1], then implementing [2] when it's ready. After all, there's a lot in common, and as you say, the W3C version will be much nicer. This seems like like a strange path to take. Why implement both? From

Re: Intent to implement and ship: FIDO U2F API

Le jeudi 3 décembre 2015 01:28:51 UTC+1, Justin Dolske a écrit : > On 12/2/15 6:48 AM, Richard Barnes wrote: > > > My initial intent was to propose implementing [1], then implementing [2] > > when it's ready. After all, there's a lot in common, and as you say, >the > > W3C version will be much

Re: Intent to implement and ship: FIDO U2F API

Le mercredi 2 décembre 2015 23:43:00 UTC+1, Ryan Sleevi a écrit : > On Wednesday, December 2, 2015 at 1:17:46 PM UTC-8, smaug wrote: > > I don't understand how 1) could be implemented when the spec has left the > > key piece undefined, as far as I see. > > As the spec puts it "This specification

Re: Intent to implement and ship: FIDO U2F API

On Wednesday, December 2, 2015 at 3:08:44 PM UTC-8, Frederic Martin wrote: > Sorry, but I don't understand why you are denying the evidence, anyone > at Fido alliance will confirm that even non-public FIDO 2 drafts are far > far far from finished. Regarding the glimpse that was published in W3c

Re: Intent to implement and ship: FIDO U2F API

On 12/02/2015 07:25 AM, ryan.sle...@gmail.com wrote: On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote: Oh well. Bummer. / Jonas If it cheers you up any, the 2.0 API that replaces the U2F API uses promises - http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/

Re: Intent to implement and ship: FIDO U2F API

On Wed, Dec 2, 2015 at 1:11 PM, Frederic Martin wrote: > > > There are probably other questions Mozilla Core Team should ask to > > > themselves : > > > > > > - Having a greater/larger HID Support, outside the FIDO U2F scope ? > > > (This allows web services to

Re: Intent to implement and ship: FIDO U2F API

> That said, I think we're in violent agreement that the specs are far, far, > far from finished - and I'm unclear whether we're in agreement that one is > under active development, while the other is a technological dead end which, > through a series of unfortunate events, happened to have

Intent to implement and ship: FIDO U2F API

The FIDO Alliance has been developing standards for hardware-based authentication of users by websites [1]. Their work is getting significant traction, so the Mozilla Foundation has decided to join the FIDO Alliance. Work has begun in the W3C to create open standards using FIDO as a starting

Re: Intent to implement and ship: FIDO U2F API

Any chance that the API can be made a little more JS friendly? First thing that stands out is the use of success/error callbacks rather than the use of Promises. Also the use of numeric codes, rather than string values, is a pattern that the web has generally moved away from. / Jonas On Tue,

Re: Intent to implement and ship: FIDO U2F API

Oh well. Bummer. / Jonas On Tue, Dec 1, 2015 at 5:36 PM, Richard Barnes wrote: > It's my understanding that U2F qua U2F is considered pretty much baked by > the developer community, and there's already code written to it. But these > concerns will be great for the W3C

Re: Intent to implement and ship: FIDO U2F API

It's my understanding that U2F qua U2F is considered pretty much baked by the developer community, and there's already code written to it. But these concerns will be great for the W3C group and the successor API. I've got a similar list started related to crypto and future-proofing. On Tue,

Re: Intent to implement and ship: FIDO U2F API

On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote: > Oh well. Bummer. > > / Jonas If it cheers you up any, the 2.0 API that replaces the U2F API uses promises - http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/ Richard, it would help if you could clarify - are