Apologies, this got caught in a filter. Re-sending for posterity on the list. ---------- Forwarded message ---------- From: J.C. Jones Date: Tue, Nov 15, 2016 at 12:01 PM Subject: Re: Intent to implement and ship: Web Authentication To: berniepa...@gmail.com Cc: dev-platform@lists.mozilla.org
Hey Bernie, That's one possibility, but I expect WebAuthn to support the U2F attestation payloads in its MakeCredential and GetAssertion calls, and then Firefox will implement the U2F HID protocol initially rather than jumping to CTAP v1.1. Cheers, J.C. On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote: > Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > > Bernie, > > > > > > You're right that the current WD does not contain the "U2F HID token" > > > attestation format, but the WG is _intending_ to add it [1] -- and > support > > > for such devices -- in Working Draft 4 [2] as soon as a larger > in-document > > > refactor is complete. > > > > > > I won't guarantee success at this point, but I believe it likely that > > > WebAuthn will ultimately support most fielded U2F HID-compliant > devices. > > > > > > [1] https://github.com/w3c/webauthn/issues/214 > > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > > > Cheers! > > > J.C. > > > > > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > > The W3C Web Authentication Working Group [1] was formed to produce > a > > > > > browser-facing standard for using strong, cryptographic scoped > > > > credentials > > > > > to authenticate to web applications in an un-phishable way. The > Working > > > > > Group began working from specifications produced by the FIDO > Alliance, > > > > but > > > > > through the W3C process ensured there was a web-focus to the final > > > > result. > > > > > > > > > > We have been tracking the Web Authentication standard since last > year’s > > > > > FIDO U2F announcement [2], and we believe Web Authentication > provides a > > > > > valuable augmentation to web application security in an inclusive > way. We > > > > > are proposing to implement the current draft specification for Web > > > > > Authentication [3], and then track the evolution through to its > final > > > > > Recommendation state. > > > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to > support > > > > the > > > > > work of providing augmented security to user logins across the > Web. We > > > > > encouraged FIDO to evolve their browser specifications within the > W3C, to > > > > > enable larger community involvement than simply Alliance members. > This > > > > > specification is a result of that wider effort. > > > > > > > > > > Web Authentication defines a way to use credentials from a secure > element > > > > > to authenticate to web applications using public key cryptography. > As > > > > with > > > > > FIDO U2F, the browser’s role is mainly to provide the interface > between > > > > the > > > > > secure element (such as a USB dongle) and the web application, and > to > > > > > enforce a scoped security model to bind the resulting attestation > to the > > > > > specific web application. > > > > > > > > > > Web Authentication support is currently in development for > Microsoft Edge > > > > > [4] [5]. Google Chrome’s support is also in-development. Several > > > > websites > > > > > have deployed support for U2F, the predecessor to WebAuthn, > including > > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F > devices in > > > > use > > > > > today which will function with the Web Authentication API. > > > > > > > > > > Proposed: To implement the Web Authentication API, with support > for the > > > > USB > > > > > U2F HID token attestation format. > > > > > > > > > > Please send comments on this proposal to the list no later than 21 > > > > November > > > > > 2016. > > > > > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6Pw > LOtBYrG.97 > > > > > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > > > platform/status/ > > > > > webauthenticationapi/?q=webauth > > > > > > > > > > - J.C., Crypto Engineering > > > > > > > > Hi, > > > > > > > > the company I am working for is a small member of the the FIDO > alliance. > > > > We are offering our own U2F USB HID tokens (and soon U2F BLE > devices...) > > > > > > > > As far as I know, there are still several debates inside the > Alliance but > > > > until recently it was never clearly stated that present U2F > tokens/devices > > > > will be compatible with the next W3C WebAuthN (I rather understood > the > > > > contrary as thre was nothing about this point inside the public w3C > drafts) > > > > > > > > So, do you have new/other information to back your proposition : > > > > "Proposed: To implement the Web Authentication API, with support for > the > > > > USB > > > > U2F HID token attestation format." > > > > > > > > Did I miss something ? (that's possible, communication is kind of > messy > > > > inside the Alliance...) > > > > _______________________________________________ > > > > dev-platform mailing list > > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > hi JC, > > > > I just realize that your are jcj_moz inside webauthn minutes I am > reading every weeks. I followed parts of the debates about CTAP, U2F > attestation... and how it appears and disappears on main w3c drafts... I > even read > > https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO- > COMPLETE-v2.0-rd-20161004.pdf > > and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID > and BT... (I ammmm goingggg slightllyyy maaaad) > > > > Since you seem to a better perspective on these points, would you be > kind enough to explain how U2F will be dealt with to be compatible with > WebAuthN architecture ? Thanx ! > > oh I got it now... it seems there was a change of direction in CTAP 1.1 to > be now compatible with U2F... so regarding CTAP 1.1 (and not CTAP 2.0), > CTAP HID <=> U2F USB, CTAP NFC <=> U2F NFC and CTAP BT <=> U2F BT... > > and "Channel ID" MITM protection is now replaced by "Token Binding ID" but > it should stay compatible too... > > So now, you'll have to finalize CTAP 1.1 (and U2F BT by the way) > > Am I correct on this ? > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
