Looks like the spec could be made implementable by fixing
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
"provide a namespace object u2f of the following interface" doesn't mean
anything, so either there is supposed to be an instance of u2f interface
somewhere (in Window object?), but feels odd to expose interface called u2f and
having u2f as a property of Window.
Perhaps the idea there is that the interface has only static methods?
Then register() and sign() should be marked as static and there wouldn't be an
instance of u2f, but one would just call those static methods
on the u2f interface.
(Nit, the convention is that interfaces start with a capital letter. For some
odd reason 'u2f' doesn't follow that.)
-Olli
On 12/02/2015 11:20 PM, smaug wrote:
On 12/02/2015 03:23 AM, Richard Barnes wrote:
The FIDO Alliance has been developing standards for hardware-based
authentication of users by websites [1]. Their work is getting significant
traction, so the Mozilla Foundation has decided to join the FIDO Alliance.
Work has begun in the W3C to create open standards using FIDO as a starting
point. We are proposing to implement the FIDO U2F API in Firefox in its
current form and then track the evolving W3C standard.
Background: The FIDO Alliance has been developing a standard for
hardware-based user authentication known as “Universal Two-Factor” or U2F
[2]. This standard allows a website to verify that a user is in possession
of a specific device by having the device sign a challenge with a private
key that is held on the hardware device. The browser’s role is mainly (1)
to route messages between the website and the token, and (2) to add the
origin of the website to the message signed by the token (so that the
signature is bound to the site).
Several major websites now support U2F for authentication, including Google
[3], Dropbox [4], and Github [5]. Axel Nennker has filed a Bugzilla bug
for U2F support in Gecko [6]. The W3C has begun the process of forming a
“WebAuthentication” working group that will work on a standard for enhanced
authentication using FIDO as a starting point [7].
Proposed: To implement the high-level U2F API described in the FIDO JS API
specification, with support for the USB HID token interface.
As I said in the other email,
I don't understand how this could be implemented when the spec has left the key
piece undefined, as far as I see.
As the spec puts it "This specification does not describe how such a port is
made available to RP web pages, as this is (for now) implementation and
browser dependent. "
Please send comments on this proposal to the list no later than Monday,
December 14, 2015.
-----
Personally, I have some reservations about implementing this, but I still
think it’s worth doing, given the clear need for something to augment
passwords.
It’s unfortunate that the initial FIDO standards were developed in a closed
group, but there is good momentum building toward making FIDO more open. I
have some specific concerns about the U2F API itself, but they’re
relatively minor. For example, the whole system is highly vertically
integrated, so if we want to change any part of it (e.g., to use a curve
other than P-256 for signatures), we’ll need to build a whole new API. But
these are issues that can be addressed in the W3C process.
We will continue to work on making standards for secure authentication more
open. In the meantime, U2F is what’s here now, and there’s demonstrated
developer interest, so it makes sense for us to work on implementing it.
Thanks,
--Richard
[1] https://fidoalliance.org/
[2] https://fidoalliance.org/specifications/download/
[3] https://support.google.com/accounts/answer/6103523?hl=en
[4] https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/
[5]
https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication
[6] https://bugzilla.mozilla.org/show_bug.cgi?id=1065729
[7] http://w3c.github.io/websec/web-authentication-charter
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
