On 03/25/2016 05:33 AM, Tom Ritter wrote: > In the web browser context, I'm pretty sure you don't control the app > id - it's determined from the origin in the web browser and passed to > the dongle. If you could control it, it would be trivial to do > cooperative cross-origin tracking.
I think that is correct, although I am puzzled why the javascript API lets you specify the app id. Regardless, I mostly have in mind non-browser applications (Soledad is currently written in Python). To the question of why not just use random seed stored on a thumb drive? In summary: * with u2f, you get access to a wide variety of devices. although these are not available yet, there will probably be bracelets, rings, watches, etc that communicate via NFC. * if u2f takes off, many users are likely to have a u2f device already, so it would be nice to take advantage of that. * for browser based apps, it is a smoother and more secure user experience to use u2f than to require that they load a file from a usb volume. * for non-browser apps, you could possibly create hard-to-guess app ids in order to make password attempts very expensive. -elijah _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
