On Fri, Feb 5, 2016 at 3:22 PM, Fred Le Tamanoir <fredletaman...@gmail.com> wrote:
> Hi, > > Great news about you making progress on this ! > > Since I read here and there that you are working with Firefox & Chrome U2F > support consistency in mind, what's your take on TLS Channel ID (Token > Binding) support inside Firefox ? > > It is a recommended feature for FIDO U2F client (Firefox here) inside > official specifications for additional protection against MITM attacks... > and it is implemented on Google authentication servers (and on Chrome > client side of course). I don't know if Google team will make it mandatory > for non-Chrome browsers to be compatible with their own authentication > servers but anyway, I think this is an important issue to be discussed... > See: https://groups.google.com/d/msg/mozilla.dev.platform/IVGEJnQW3Uo/o9WzWgEqCwAJ We're not likely to implement Channel ID, but we probably will implement Token Binding when it seems sufficiently stable -Ekr > > ...and my personal point: we need this :) > > On Thu, Feb 4, 2016 at 10:49 PM, J.C. Jones <jjo...@mozilla.com> wrote: > > > All, > > > > We're making progress on implementing FIDO U2F in Firefox. The effort is > > split into a number of bugs at present. First, a quick rundown of where > we > > are: > > > > * The tracking bug for U2F support is Bug 1065729. > > * Bug 1198330 is to implement USB HID support in Firefox. > > * Bug 1231681 implements the WebIDL and the outline of the JS API. This > > bug’s code is in review. > > * Bug 1244959 completes the AppId/FacetId algorithm. > > * Bug 1245527 implements the state machines (USBToken) between the JS API > > and the USB HID support. > > * Bug 1244960 expands an NSS-based U2F token (NSSToken) for expanded > > integration and developer testing. > > > > A couple of notes/clarifications about how we’re planning to build U2F > > support: > > > > * The `window.u2f` API endpoint will only be available to code loaded > from > > secure origins, in keeping with our policy for new features [1]. (This is > > also consistent with U2F support that is built into recent versions of > > Google Chrome.) > > * We are implementing the high-level JavaScript API version 1.1. The > > specification for v1.1 is not yet published, but is already implemented > in > > recent versions of Chromium [2]. > > * For the time being, U2F support will be gated behind preferences and > > disabled by default. > > > > [1] > > > https://blog.mozilla.org/security/2015/04/30/deprecating-non-secure-http/ > > [2] > > > https://chromium.googlesource.com/chromium/src/+/master/chrome/browser/resources/cryptotoken/webrequest.js > > > > - J.C. > > > > > > On Wed, Jan 27, 2016 at 2:44 AM, Frederic Martin < > fredletaman...@gmail.com > > > wrote: > > > >> <http://w3c.github.io/websec/web-authentication-charter>Nearly two > >> months since that post... > >> Any news on this ? > >> > >> a) on Mozilla Foundation joining FIDO Alliance? > >> b) on FIDO U2F implementation inside Firefox Core? > >> > >> Thanx. > >> _______________________________________________ > >> dev-platform mailing list > >> dev-platform@lists.mozilla.org > >> https://lists.mozilla.org/listinfo/dev-platform > >> > > > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform