Re: Intent to implement and ship: Web Authentication
Hi J.C.! Thanks for your extensive answer! Seems like there is a lot of progress going on that wasn't immediately obvious from bugzilla. I am looking forward to seeing this land. Thank you, Tom On Wed, Apr 12, 2017 at 2:46 AM, J.C. Joneswrote: > Tom, > > We're making progress on supporting the USB U2F HID token attestation > format; before the actual U2F/HID code starts appearing in-tree, there's > had to be some refactoring to handle things in a proper asynchronous way -- > which is nearing review. > > I'm working on that USB U2F support for OSX right now; Linux support is > also looking pretty OK, and we're planning to get Windows this quarter, too. > > Independently, we're waiting on updating our Web Authentication > implementation from the WD-02 version currently in-tree, expecting a > significant refactor to happen aligning the way you use Web Authentication > with the W3C Credential Management specification. There's ongoing > discussion [1] and currently one pull request [2] to do that. That's > primarily why we haven't moved forward to the WD-04 draft yet - and we're > working on the HID support. > > That said, we're still planning on exposing the USB U2F security key-type > devices only through the W3C Web Authentication API by default -- the older > FIDO U2F API that is currently hidden behind the `security.webauth.u2f` > preference [3] we're currently planning to keep hidden. It doesn't > implement the "Low-level MessagePort API", which makes a some sites that > depend on Chrome's u2f-api.js behave oddly. > > > [1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html > [2] https://github.com/w3c/webauthn/pull/384 > [3] (and also the `security.webauth.u2f_enable_softtoken` preference, > since there's no USB support in-tree yet) > > Cheers, > J.C. > > On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster wrote: > >> So what's our status with regards to implementing FIDO u2f? I really would >> like to use my security key natively in Firefox. >> >> Best, >> Tom >> >> On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren < >> anders.rundgren@gmail.com> wrote: >> >> > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: >> > > Anders, >> > > >> > > The first target I'm working on is Desktop, though I've plans in 2017 >> to >> > > support WebAuthn on Android and iOS [1], too. WebAuthn already has >> > > definitions suitable for Android's Key Attestation [2] and SafetyNet >> > > formats [3], so they'll need implementations that tie into the >> > > dom::WebAuthentication class. >> > >> > That's great news! >> > >> > Regards, >> > Anders >> > >> > > >> > > Cheers, >> > > J.C. >> > > >> > > [1] https://wiki.mozilla.org/Security/CryptoEngineering# >> > Web_Authentication >> > > [2] https://w3c.github.io/webauthn/#android-key-attestation >> > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation >> > > >> > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < >> > > anders.rundgren@gmail.com> wrote: >> > > >> > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren >> > wrote: >> > > > > It is a pity that external tokens have become the >> > > > > focus when the majority will rather rely on embedded >> > > > > security solutions which nowadays is a standard feature >> > > > > in Android and Windows platforms. >> > > > >> > > > Slight clarification to the above: The IoT folks pretty much build >> > 100% on >> > > > embedded security with car-keys as an obvious exception. >> > > > >> > > > On mobile I would say that over 99% of all existing security >> solutions >> > > > based on cryptographic keys are relying on embedded (or "App level") >> > keys >> > > > with Apple Pay as the most advanced example. >> > > > >> > > > That is, the token vendors and security folks do not represent the >> > actual >> > > > market comprising of end-users and service providers. >> > > > >> > > > Maybe this is a project primarily targeting the desktop? >> > > > ___ >> > > > dev-platform mailing list >> > > > dev-platform@lists.mozilla.org >> > > > https://lists.mozilla.org/listinfo/dev-platform >> > > > >> > >> > ___ >> > dev-platform mailing list >> > dev-platform@lists.mozilla.org >> > https://lists.mozilla.org/listinfo/dev-platform >> > >> ___ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
Tom, We're making progress on supporting the USB U2F HID token attestation format; before the actual U2F/HID code starts appearing in-tree, there's had to be some refactoring to handle things in a proper asynchronous way -- which is nearing review. I'm working on that USB U2F support for OSX right now; Linux support is also looking pretty OK, and we're planning to get Windows this quarter, too. Independently, we're waiting on updating our Web Authentication implementation from the WD-02 version currently in-tree, expecting a significant refactor to happen aligning the way you use Web Authentication with the W3C Credential Management specification. There's ongoing discussion [1] and currently one pull request [2] to do that. That's primarily why we haven't moved forward to the WD-04 draft yet - and we're working on the HID support. That said, we're still planning on exposing the USB U2F security key-type devices only through the W3C Web Authentication API by default -- the older FIDO U2F API that is currently hidden behind the `security.webauth.u2f` preference [3] we're currently planning to keep hidden. It doesn't implement the "Low-level MessagePort API", which makes a some sites that depend on Chrome's u2f-api.js behave oddly. [1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html [2] https://github.com/w3c/webauthn/pull/384 [3] (and also the `security.webauth.u2f_enable_softtoken` preference, since there's no USB support in-tree yet) Cheers, J.C. On Tue, Apr 11, 2017 at 5:05 AM, Tom Schusterwrote: > So what's our status with regards to implementing FIDO u2f? I really would > like to use my security key natively in Firefox. > > Best, > Tom > > On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren < > anders.rundgren@gmail.com> wrote: > > > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: > > > Anders, > > > > > > The first target I'm working on is Desktop, though I've plans in 2017 > to > > > support WebAuthn on Android and iOS [1], too. WebAuthn already has > > > definitions suitable for Android's Key Attestation [2] and SafetyNet > > > formats [3], so they'll need implementations that tie into the > > > dom::WebAuthentication class. > > > > That's great news! > > > > Regards, > > Anders > > > > > > > > Cheers, > > > J.C. > > > > > > [1] https://wiki.mozilla.org/Security/CryptoEngineering# > > Web_Authentication > > > [2] https://w3c.github.io/webauthn/#android-key-attestation > > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation > > > > > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < > > > anders.rundgren@gmail.com> wrote: > > > > > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren > > wrote: > > > > > It is a pity that external tokens have become the > > > > > focus when the majority will rather rely on embedded > > > > > security solutions which nowadays is a standard feature > > > > > in Android and Windows platforms. > > > > > > > > Slight clarification to the above: The IoT folks pretty much build > > 100% on > > > > embedded security with car-keys as an obvious exception. > > > > > > > > On mobile I would say that over 99% of all existing security > solutions > > > > based on cryptographic keys are relying on embedded (or "App level") > > keys > > > > with Apple Pay as the most advanced example. > > > > > > > > That is, the token vendors and security folks do not represent the > > actual > > > > market comprising of end-users and service providers. > > > > > > > > Maybe this is a project primarily targeting the desktop? > > > > ___ > > > > dev-platform mailing list > > > > dev-platform@lists.mozilla.org > > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > ___ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
So what's our status with regards to implementing FIDO u2f? I really would like to use my security key natively in Firefox. Best, Tom On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren < anders.rundgren@gmail.com> wrote: > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: > > Anders, > > > > The first target I'm working on is Desktop, though I've plans in 2017 to > > support WebAuthn on Android and iOS [1], too. WebAuthn already has > > definitions suitable for Android's Key Attestation [2] and SafetyNet > > formats [3], so they'll need implementations that tie into the > > dom::WebAuthentication class. > > That's great news! > > Regards, > Anders > > > > > Cheers, > > J.C. > > > > [1] https://wiki.mozilla.org/Security/CryptoEngineering# > Web_Authentication > > [2] https://w3c.github.io/webauthn/#android-key-attestation > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation > > > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < > > anders.rundgren@gmail.com> wrote: > > > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren > wrote: > > > > It is a pity that external tokens have become the > > > > focus when the majority will rather rely on embedded > > > > security solutions which nowadays is a standard feature > > > > in Android and Windows platforms. > > > > > > Slight clarification to the above: The IoT folks pretty much build > 100% on > > > embedded security with car-keys as an obvious exception. > > > > > > On mobile I would say that over 99% of all existing security solutions > > > based on cryptographic keys are relying on embedded (or "App level") > keys > > > with Apple Pay as the most advanced example. > > > > > > That is, the token vendors and security folks do not represent the > actual > > > market comprising of end-users and service providers. > > > > > > Maybe this is a project primarily targeting the desktop? > > > ___ > > > dev-platform mailing list > > > dev-platform@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: > Anders, > > The first target I'm working on is Desktop, though I've plans in 2017 to > support WebAuthn on Android and iOS [1], too. WebAuthn already has > definitions suitable for Android's Key Attestation [2] and SafetyNet > formats [3], so they'll need implementations that tie into the > dom::WebAuthentication class. That's great news! Regards, Anders > > Cheers, > J.C. > > [1] https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication > [2] https://w3c.github.io/webauthn/#android-key-attestation > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < > anders.rundgren@gmail.com> wrote: > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote: > > > It is a pity that external tokens have become the > > > focus when the majority will rather rely on embedded > > > security solutions which nowadays is a standard feature > > > in Android and Windows platforms. > > > > Slight clarification to the above: The IoT folks pretty much build 100% on > > embedded security with car-keys as an obvious exception. > > > > On mobile I would say that over 99% of all existing security solutions > > based on cryptographic keys are relying on embedded (or "App level") keys > > with Apple Pay as the most advanced example. > > > > That is, the token vendors and security folks do not represent the actual > > market comprising of end-users and service providers. > > > > Maybe this is a project primarily targeting the desktop? > > ___ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
Anders, The first target I'm working on is Desktop, though I've plans in 2017 to support WebAuthn on Android and iOS [1], too. WebAuthn already has definitions suitable for Android's Key Attestation [2] and SafetyNet formats [3], so they'll need implementations that tie into the dom::WebAuthentication class. Cheers, J.C. [1] https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication [2] https://w3c.github.io/webauthn/#android-key-attestation [3] https://w3c.github.io/webauthn/#android-safetynet-attestation On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < anders.rundgren@gmail.com> wrote: > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote: > > It is a pity that external tokens have become the > > focus when the majority will rather rely on embedded > > security solutions which nowadays is a standard feature > > in Android and Windows platforms. > > Slight clarification to the above: The IoT folks pretty much build 100% on > embedded security with car-keys as an obvious exception. > > On mobile I would say that over 99% of all existing security solutions > based on cryptographic keys are relying on embedded (or "App level") keys > with Apple Pay as the most advanced example. > > That is, the token vendors and security folks do not represent the actual > market comprising of end-users and service providers. > > Maybe this is a project primarily targeting the desktop? > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote: > It is a pity that external tokens have become the > focus when the majority will rather rely on embedded > security solutions which nowadays is a standard feature > in Android and Windows platforms. Slight clarification to the above: The IoT folks pretty much build 100% on embedded security with car-keys as an obvious exception. On mobile I would say that over 99% of all existing security solutions based on cryptographic keys are relying on embedded (or "App level") keys with Apple Pay as the most advanced example. That is, the token vendors and security folks do not represent the actual market comprising of end-users and service providers. Maybe this is a project primarily targeting the desktop? ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
It is a pity that external tokens have become the focus when the majority will rather rely on embedded security solutions which nowadays is a standard feature in Android and Windows platforms. On Tuesday, November 15, 2016 at 8:47:49 PM UTC+1, JC Jones wrote: > Apologies, this got caught in a filter. Re-sending for posterity on the > list. > -- Forwarded message -- > From: J.C. Jones > Date: Tue, Nov 15, 2016 at 12:01 PM > Subject: Re: Intent to implement and ship: Web Authentication > To: berniepa...@gmail.com > Cc: dev-platform@lists.mozilla.org > > > Hey Bernie, > > That's one possibility, but I expect WebAuthn to support the U2F > attestation payloads in its MakeCredential and GetAssertion calls, and then > Firefox will implement the U2F HID protocol initially rather than jumping > to CTAP v1.1. > > Cheers, > J.C. > > On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote: > > > Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > > > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > > > Bernie, > > > > > > > > You're right that the current WD does not contain the "U2F HID token" > > > > attestation format, but the WG is _intending_ to add it [1] -- and > > support > > > > for such devices -- in Working Draft 4 [2] as soon as a larger > > in-document > > > > refactor is complete. > > > > > > > > I won't guarantee success at this point, but I believe it likely that > > > > WebAuthn will ultimately support most fielded U2F HID-compliant > > devices. > > > > > > > > [1] https://github.com/w3c/webauthn/issues/214 > > > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > > > > > Cheers! > > > > J.C. > > > > > > > > > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > > > The W3C Web Authentication Working Group [1] was formed to produce > > a > > > > > > browser-facing standard for using strong, cryptographic scoped > > > > > credentials > > > > > > to authenticate to web applications in an un-phishable way. The > > Working > > > > > > Group began working from specifications produced by the FIDO > > Alliance, > > > > > but > > > > > > through the W3C process ensured there was a web-focus to the final > > > > > result. > > > > > > > > > > > > We have been tracking the Web Authentication standard since last > > year’s > > > > > > FIDO U2F announcement [2], and we believe Web Authentication > > provides a > > > > > > valuable augmentation to web application security in an inclusive > > way. We > > > > > > are proposing to implement the current draft specification for Web > > > > > > Authentication [3], and then track the evolution through to its > > final > > > > > > Recommendation state. > > > > > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to > > support > > > > > the > > > > > > work of providing augmented security to user logins across the > > Web. We > > > > > > encouraged FIDO to evolve their browser specifications within the > > W3C, to > > > > > > enable larger community involvement than simply Alliance members. > > This > > > > > > specification is a result of that wider effort. > > > > > > > > > > > > Web Authentication defines a way to use credentials from a secure > > element > > > > > > to authenticate to web applications using public key cryptography. > > As > > > > > with > > > > > > FIDO U2F, the browser’s role is mainly to provide the interface > > between > > > > > the > > > > > > secure element (such as a USB dongle) and the web application, and > > to > > > > > > enforce a scoped security model to bind the resulting attestation > > to the > > > > > > specific web application. > > > > > > > > > > > > Web Authentication support is currently in development for > > Microsoft Edge > > > > > > [4] [5]. Google Chrome’s support is also in-developmen
Fwd: Intent to implement and ship: Web Authentication
Apologies, this got caught in a filter. Re-sending for posterity on the list. -- Forwarded message -- From: J.C. Jones Date: Tue, Nov 15, 2016 at 12:01 PM Subject: Re: Intent to implement and ship: Web Authentication To: berniepa...@gmail.com Cc: dev-platform@lists.mozilla.org Hey Bernie, That's one possibility, but I expect WebAuthn to support the U2F attestation payloads in its MakeCredential and GetAssertion calls, and then Firefox will implement the U2F HID protocol initially rather than jumping to CTAP v1.1. Cheers, J.C. On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote: > Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > > Bernie, > > > > > > You're right that the current WD does not contain the "U2F HID token" > > > attestation format, but the WG is _intending_ to add it [1] -- and > support > > > for such devices -- in Working Draft 4 [2] as soon as a larger > in-document > > > refactor is complete. > > > > > > I won't guarantee success at this point, but I believe it likely that > > > WebAuthn will ultimately support most fielded U2F HID-compliant > devices. > > > > > > [1] https://github.com/w3c/webauthn/issues/214 > > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > > > Cheers! > > > J.C. > > > > > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > > The W3C Web Authentication Working Group [1] was formed to produce > a > > > > > browser-facing standard for using strong, cryptographic scoped > > > > credentials > > > > > to authenticate to web applications in an un-phishable way. The > Working > > > > > Group began working from specifications produced by the FIDO > Alliance, > > > > but > > > > > through the W3C process ensured there was a web-focus to the final > > > > result. > > > > > > > > > > We have been tracking the Web Authentication standard since last > year’s > > > > > FIDO U2F announcement [2], and we believe Web Authentication > provides a > > > > > valuable augmentation to web application security in an inclusive > way. We > > > > > are proposing to implement the current draft specification for Web > > > > > Authentication [3], and then track the evolution through to its > final > > > > > Recommendation state. > > > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to > support > > > > the > > > > > work of providing augmented security to user logins across the > Web. We > > > > > encouraged FIDO to evolve their browser specifications within the > W3C, to > > > > > enable larger community involvement than simply Alliance members. > This > > > > > specification is a result of that wider effort. > > > > > > > > > > Web Authentication defines a way to use credentials from a secure > element > > > > > to authenticate to web applications using public key cryptography. > As > > > > with > > > > > FIDO U2F, the browser’s role is mainly to provide the interface > between > > > > the > > > > > secure element (such as a USB dongle) and the web application, and > to > > > > > enforce a scoped security model to bind the resulting attestation > to the > > > > > specific web application. > > > > > > > > > > Web Authentication support is currently in development for > Microsoft Edge > > > > > [4] [5]. Google Chrome’s support is also in-development. Several > > > > websites > > > > > have deployed support for U2F, the predecessor to WebAuthn, > including > > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F > devices in > > > > use > > > > > today which will function with the Web Authentication API. > > > > > > > > > > Proposed: To implement the Web Authentication API, with support > for the > > > > USB > > > > > U2F HID token attestation format. > > > > > > > > > > Please send comments on this proposal to the list no later than 21 > > > > November > > > > > 2016. > > > >
Re: Intent to implement and ship: Web Authentication
Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > Bernie, > > > > You're right that the current WD does not contain the "U2F HID token" > > attestation format, but the WG is _intending_ to add it [1] -- and support > > for such devices -- in Working Draft 4 [2] as soon as a larger in-document > > refactor is complete. > > > > I won't guarantee success at this point, but I believe it likely that > > WebAuthn will ultimately support most fielded U2F HID-compliant devices. > > > > [1] https://github.com/w3c/webauthn/issues/214 > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > Cheers! > > J.C. > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > The W3C Web Authentication Working Group [1] was formed to produce a > > > > browser-facing standard for using strong, cryptographic scoped > > > credentials > > > > to authenticate to web applications in an un-phishable way. The Working > > > > Group began working from specifications produced by the FIDO Alliance, > > > but > > > > through the W3C process ensured there was a web-focus to the final > > > result. > > > > > > > > We have been tracking the Web Authentication standard since last year’s > > > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > > > valuable augmentation to web application security in an inclusive way. > > > > We > > > > are proposing to implement the current draft specification for Web > > > > Authentication [3], and then track the evolution through to its final > > > > Recommendation state. > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > > > the > > > > work of providing augmented security to user logins across the Web. We > > > > encouraged FIDO to evolve their browser specifications within the W3C, > > > > to > > > > enable larger community involvement than simply Alliance members. This > > > > specification is a result of that wider effort. > > > > > > > > Web Authentication defines a way to use credentials from a secure > > > > element > > > > to authenticate to web applications using public key cryptography. As > > > with > > > > FIDO U2F, the browser’s role is mainly to provide the interface between > > > the > > > > secure element (such as a USB dongle) and the web application, and to > > > > enforce a scoped security model to bind the resulting attestation to the > > > > specific web application. > > > > > > > > Web Authentication support is currently in development for Microsoft > > > > Edge > > > > [4] [5]. Google Chrome’s support is also in-development. Several > > > websites > > > > have deployed support for U2F, the predecessor to WebAuthn, including > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > > > use > > > > today which will function with the Web Authentication API. > > > > > > > > Proposed: To implement the Web Authentication API, with support for the > > > USB > > > > U2F HID token attestation format. > > > > > > > > Please send comments on this proposal to the list no later than 21 > > > November > > > > 2016. > > > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > > platform/status/ > > > > webauthenticationapi/?q=webauth > > > > > > > > - J.C., Crypto Engineering > > > > > > Hi, > > > > > > the company I am working for is a small member of the the FIDO alliance. > > > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > > > > > As far as I know, there are still several debates inside the Alliance but > > > until recently it was never clearly stated that present U2F tokens/devices > > > will be compatible with the next W3C WebAuthN (I rather understood the > > > contrary as thre was nothing about this point inside the public w3C > > > drafts) > > > > > > So, do you have new/other information to back your proposition : > > > "Proposed: To implement the Web Authentication API, with support for the > > > USB > > > U2F HID token attestation format." > > > > > > Did I miss something ? (that's possible, communication is kind of messy > > > inside the Alliance...) > > > ___ > > > dev-platform mailing list > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > hi JC, > > I just realize that your are jcj_moz inside webauthn minutes I am reading > every weeks. I followed parts of the debates about CTAP, U2F attestation... > and how it appears and disappears on main
Re: Intent to implement and ship: Web Authentication
Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > Bernie, > > You're right that the current WD does not contain the "U2F HID token" > attestation format, but the WG is _intending_ to add it [1] -- and support > for such devices -- in Working Draft 4 [2] as soon as a larger in-document > refactor is complete. > > I won't guarantee success at this point, but I believe it likely that > WebAuthn will ultimately support most fielded U2F HID-compliant devices. > > [1] https://github.com/w3c/webauthn/issues/214 > [2] https://github.com/w3c/webauthn/milestone/8 > > Cheers! > J.C. > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > The W3C Web Authentication Working Group [1] was formed to produce a > > > browser-facing standard for using strong, cryptographic scoped > > credentials > > > to authenticate to web applications in an un-phishable way. The Working > > > Group began working from specifications produced by the FIDO Alliance, > > but > > > through the W3C process ensured there was a web-focus to the final > > result. > > > > > > We have been tracking the Web Authentication standard since last year’s > > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > > valuable augmentation to web application security in an inclusive way. We > > > are proposing to implement the current draft specification for Web > > > Authentication [3], and then track the evolution through to its final > > > Recommendation state. > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > > the > > > work of providing augmented security to user logins across the Web. We > > > encouraged FIDO to evolve their browser specifications within the W3C, to > > > enable larger community involvement than simply Alliance members. This > > > specification is a result of that wider effort. > > > > > > Web Authentication defines a way to use credentials from a secure element > > > to authenticate to web applications using public key cryptography. As > > with > > > FIDO U2F, the browser’s role is mainly to provide the interface between > > the > > > secure element (such as a USB dongle) and the web application, and to > > > enforce a scoped security model to bind the resulting attestation to the > > > specific web application. > > > > > > Web Authentication support is currently in development for Microsoft Edge > > > [4] [5]. Google Chrome’s support is also in-development. Several > > websites > > > have deployed support for U2F, the predecessor to WebAuthn, including > > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > > use > > > today which will function with the Web Authentication API. > > > > > > Proposed: To implement the Web Authentication API, with support for the > > USB > > > U2F HID token attestation format. > > > > > > Please send comments on this proposal to the list no later than 21 > > November > > > 2016. > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > platform/status/ > > > webauthenticationapi/?q=webauth > > > > > > - J.C., Crypto Engineering > > > > Hi, > > > > the company I am working for is a small member of the the FIDO alliance. > > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > > > As far as I know, there are still several debates inside the Alliance but > > until recently it was never clearly stated that present U2F tokens/devices > > will be compatible with the next W3C WebAuthN (I rather understood the > > contrary as thre was nothing about this point inside the public w3C drafts) > > > > So, do you have new/other information to back your proposition : > > "Proposed: To implement the Web Authentication API, with support for the > > USB > > U2F HID token attestation format." > > > > Did I miss something ? (that's possible, communication is kind of messy > > inside the Alliance...) > > ___ > > dev-platform mailing list > > https://lists.mozilla.org/listinfo/dev-platform > > hi JC, I just realize that your are jcj_moz inside webauthn minutes I am reading every weeks. I followed parts of the debates about CTAP, U2F attestation... and how it appears and disappears on main w3c drafts... I even read https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO-COMPLETE-v2.0-rd-20161004.pdf and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID and BT... (I a goin slightllyyy md) Since you seem to a better perspective on these points, would you be kind enough to explain how U2F
Re: Intent to implement and ship: Web Authentication
Bernie, You're right that the current WD does not contain the "U2F HID token" attestation format, but the WG is _intending_ to add it [1] -- and support for such devices -- in Working Draft 4 [2] as soon as a larger in-document refactor is complete. I won't guarantee success at this point, but I believe it likely that WebAuthn will ultimately support most fielded U2F HID-compliant devices. [1] https://github.com/w3c/webauthn/issues/214 [2] https://github.com/w3c/webauthn/milestone/8 Cheers! J.C. On Sun, Nov 13, 2016 at 4:36 PM,wrote: > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > The W3C Web Authentication Working Group [1] was formed to produce a > > browser-facing standard for using strong, cryptographic scoped > credentials > > to authenticate to web applications in an un-phishable way. The Working > > Group began working from specifications produced by the FIDO Alliance, > but > > through the W3C process ensured there was a web-focus to the final > result. > > > > We have been tracking the Web Authentication standard since last year’s > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > valuable augmentation to web application security in an inclusive way. We > > are proposing to implement the current draft specification for Web > > Authentication [3], and then track the evolution through to its final > > Recommendation state. > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > the > > work of providing augmented security to user logins across the Web. We > > encouraged FIDO to evolve their browser specifications within the W3C, to > > enable larger community involvement than simply Alliance members. This > > specification is a result of that wider effort. > > > > Web Authentication defines a way to use credentials from a secure element > > to authenticate to web applications using public key cryptography. As > with > > FIDO U2F, the browser’s role is mainly to provide the interface between > the > > secure element (such as a USB dongle) and the web application, and to > > enforce a scoped security model to bind the resulting attestation to the > > specific web application. > > > > Web Authentication support is currently in development for Microsoft Edge > > [4] [5]. Google Chrome’s support is also in-development. Several > websites > > have deployed support for U2F, the predecessor to WebAuthn, including > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > use > > today which will function with the Web Authentication API. > > > > Proposed: To implement the Web Authentication API, with support for the > USB > > U2F HID token attestation format. > > > > Please send comments on this proposal to the list no later than 21 > November > > 2016. > > > > [1] https://www.w3.org/blog/webauthn/ > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > [3] https://www.w3.org/TR/webauthn/ > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > platform/status/ > > webauthenticationapi/?q=webauth > > > > - J.C., Crypto Engineering > > Hi, > > the company I am working for is a small member of the the FIDO alliance. > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > As far as I know, there are still several debates inside the Alliance but > until recently it was never clearly stated that present U2F tokens/devices > will be compatible with the next W3C WebAuthN (I rather understood the > contrary as thre was nothing about this point inside the public w3C drafts) > > So, do you have new/other information to back your proposition : > "Proposed: To implement the Web Authentication API, with support for the > USB > U2F HID token attestation format." > > Did I miss something ? (that's possible, communication is kind of messy > inside the Alliance...) > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to implement and ship: Web Authentication
Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > The W3C Web Authentication Working Group [1] was formed to produce a > browser-facing standard for using strong, cryptographic scoped credentials > to authenticate to web applications in an un-phishable way. The Working > Group began working from specifications produced by the FIDO Alliance, but > through the W3C process ensured there was a web-focus to the final result. > > We have been tracking the Web Authentication standard since last year’s > FIDO U2F announcement [2], and we believe Web Authentication provides a > valuable augmentation to web application security in an inclusive way. We > are proposing to implement the current draft specification for Web > Authentication [3], and then track the evolution through to its final > Recommendation state. > > Background: The Mozilla Foundation joined the FIDO Alliance to support the > work of providing augmented security to user logins across the Web. We > encouraged FIDO to evolve their browser specifications within the W3C, to > enable larger community involvement than simply Alliance members. This > specification is a result of that wider effort. > > Web Authentication defines a way to use credentials from a secure element > to authenticate to web applications using public key cryptography. As with > FIDO U2F, the browser’s role is mainly to provide the interface between the > secure element (such as a USB dongle) and the web application, and to > enforce a scoped security model to bind the resulting attestation to the > specific web application. > > Web Authentication support is currently in development for Microsoft Edge > [4] [5]. Google Chrome’s support is also in-development. Several websites > have deployed support for U2F, the predecessor to WebAuthn, including > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use > today which will function with the Web Authentication API. > > Proposed: To implement the Web Authentication API, with support for the USB > U2F HID token attestation format. > > Please send comments on this proposal to the list no later than 21 November > 2016. > > [1] https://www.w3.org/blog/webauthn/ > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > [3] https://www.w3.org/TR/webauthn/ > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > [5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ > webauthenticationapi/?q=webauth > > - J.C., Crypto Engineering Hi, the company I am working for is a small member of the the FIDO alliance. We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) As far as I know, there are still several debates inside the Alliance but until recently it was never clearly stated that present U2F tokens/devices will be compatible with the next W3C WebAuthN (I rather understood the contrary as thre was nothing about this point inside the public w3C drafts) So, do you have new/other information to back your proposition : "Proposed: To implement the Web Authentication API, with support for the USB U2F HID token attestation format." Did I miss something ? (that's possible, communication is kind of messy inside the Alliance...) ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to implement and ship: Web Authentication
The W3C Web Authentication Working Group [1] was formed to produce a browser-facing standard for using strong, cryptographic scoped credentials to authenticate to web applications in an un-phishable way. The Working Group began working from specifications produced by the FIDO Alliance, but through the W3C process ensured there was a web-focus to the final result. We have been tracking the Web Authentication standard since last year’s FIDO U2F announcement [2], and we believe Web Authentication provides a valuable augmentation to web application security in an inclusive way. We are proposing to implement the current draft specification for Web Authentication [3], and then track the evolution through to its final Recommendation state. Background: The Mozilla Foundation joined the FIDO Alliance to support the work of providing augmented security to user logins across the Web. We encouraged FIDO to evolve their browser specifications within the W3C, to enable larger community involvement than simply Alliance members. This specification is a result of that wider effort. Web Authentication defines a way to use credentials from a secure element to authenticate to web applications using public key cryptography. As with FIDO U2F, the browser’s role is mainly to provide the interface between the secure element (such as a USB dongle) and the web application, and to enforce a scoped security model to bind the resulting attestation to the specific web application. Web Authentication support is currently in development for Microsoft Edge [4] [5]. Google Chrome’s support is also in-development. Several websites have deployed support for U2F, the predecessor to WebAuthn, including Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use today which will function with the Web Authentication API. Proposed: To implement the Web Authentication API, with support for the USB U2F HID token attestation format. Please send comments on this proposal to the list no later than 21 November 2016. [1] https://www.w3.org/blog/webauthn/ [2] https://groups.google.com/d/msg/mozilla.dev.platform/ IVGEJnQW3Uo/Eu5tvyLmCgAJ [3] https://www.w3.org/TR/webauthn/ [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 [5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ webauthenticationapi/?q=webauth - J.C., Crypto Engineering ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform