Hi, Great news about you making progress on this !
Since I read here and there that you are working with Firefox & Chrome U2F support consistency in mind, what's your take on TLS Channel ID (Token Binding) support inside Firefox ? It is a recommended feature for FIDO U2F client (Firefox here) inside official specifications for additional protection against MITM attacks... and it is implemented on Google authentication servers (and on Chrome client side of course). I don't know if Google team will make it mandatory for non-Chrome browsers to be compatible with their own authentication servers but anyway, I think this is an important issue to be discussed... ...and my personal point: we need this :) On Thu, Feb 4, 2016 at 10:49 PM, J.C. Jones <jjo...@mozilla.com> wrote: > All, > > We're making progress on implementing FIDO U2F in Firefox. The effort is > split into a number of bugs at present. First, a quick rundown of where we > are: > > * The tracking bug for U2F support is Bug 1065729. > * Bug 1198330 is to implement USB HID support in Firefox. > * Bug 1231681 implements the WebIDL and the outline of the JS API. This > bug’s code is in review. > * Bug 1244959 completes the AppId/FacetId algorithm. > * Bug 1245527 implements the state machines (USBToken) between the JS API > and the USB HID support. > * Bug 1244960 expands an NSS-based U2F token (NSSToken) for expanded > integration and developer testing. > > A couple of notes/clarifications about how we’re planning to build U2F > support: > > * The `window.u2f` API endpoint will only be available to code loaded from > secure origins, in keeping with our policy for new features [1]. (This is > also consistent with U2F support that is built into recent versions of > Google Chrome.) > * We are implementing the high-level JavaScript API version 1.1. The > specification for v1.1 is not yet published, but is already implemented in > recent versions of Chromium [2]. > * For the time being, U2F support will be gated behind preferences and > disabled by default. > > [1] > https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ > [2] > https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/cryptotoken/webrequest.js > > - J.C. > > > On Wed, Jan 27, 2016 at 2:44 AM, Frederic Martin <fredletaman...@gmail.com > > wrote: > >> <http://w3c.github.io/websec/web-authentication-charter>Nearly two >> months since that post... >> Any news on this ? >> >> a) on Mozilla Foundation joining FIDO Alliance? >> b) on FIDO U2F implementation inside Firefox Core? >> >> Thanx. >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
