Re: Intent to implement and ship: Web Authentication

[Tom Schuster]

Hi J.C.!

Thanks for your extensive answer! Seems like there is a lot of progress
going on that wasn't immediately obvious from bugzilla. I am looking
forward to seeing this land.

Thank you,
Tom

On Wed, Apr 12, 2017 at 2:46 AM, J.C. Jones  wrote:

> Tom,
>
> We're making progress on supporting the USB U2F HID token attestation
> format; before the actual U2F/HID code starts appearing in-tree, there's
> had to be some refactoring to handle things in a proper asynchronous way --
> which is nearing review.
>
> I'm working on that USB U2F support for OSX right now; Linux support is
> also looking pretty OK, and we're planning to get Windows this quarter, too.
>
> Independently, we're waiting on updating our Web Authentication
> implementation from the WD-02 version currently in-tree, expecting a
> significant refactor to happen aligning the way you use Web Authentication
> with the W3C Credential Management specification. There's ongoing
> discussion [1] and currently one pull request [2] to do that. That's
> primarily why we haven't moved forward to the WD-04 draft yet - and we're
> working on the HID support.
>
> That said, we're still planning on exposing the USB U2F security key-type
> devices only through the W3C Web Authentication API by default -- the older
> FIDO U2F API that is currently hidden behind the `security.webauth.u2f`
> preference [3] we're currently planning to keep hidden. It doesn't
> implement the "Low-level MessagePort API", which makes a some sites that
> depend on Chrome's u2f-api.js behave oddly.
>
>
> [1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html
> [2] https://github.com/w3c/webauthn/pull/384
> [3] (and also the `security.webauth.u2f_enable_softtoken` preference,
> since there's no USB support in-tree yet)
>
> Cheers,
> J.C.
>
> On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster  wrote:
>
>> So what's our status with regards to implementing FIDO u2f? I really would
>> like to use my security key natively in Firefox.
>>
>> Best,
>> Tom
>>
>> On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren <
>> anders.rundgren@gmail.com> wrote:
>>
>> > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote:
>> > > Anders,
>> > >
>> > > The first target I'm working on is Desktop, though I've plans in 2017
>> to
>> > > support WebAuthn on Android and iOS [1], too. WebAuthn already has
>> > > definitions suitable for Android's Key Attestation [2] and SafetyNet
>> > > formats [3], so they'll need implementations that tie into the
>> > > dom::WebAuthentication class.
>> >
>> > That's great news!
>> >
>> > Regards,
>> > Anders
>> >
>> > >
>> > > Cheers,
>> > > J.C.
>> > >
>> > > [1] https://wiki.mozilla.org/Security/CryptoEngineering#
>> > Web_Authentication
>> > > [2] https://w3c.github.io/webauthn/#android-key-attestation
>> > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation
>> > >
>> > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren <
>> > > anders.rundgren@gmail.com> wrote:
>> > >
>> > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren
>> > wrote:
>> > > > > It is a pity that external tokens have become the
>> > > > > focus when the majority will rather rely on embedded
>> > > > > security solutions which nowadays is a standard feature
>> > > > > in Android and Windows platforms.
>> > > >
>> > > > Slight clarification to the above: The IoT folks pretty much build
>> > 100% on
>> > > > embedded security with car-keys as an obvious exception.
>> > > >
>> > > > On mobile I would say that over 99% of all existing security
>> solutions
>> > > > based on cryptographic keys are relying on embedded (or "App level")
>> > keys
>> > > > with Apple Pay as the most advanced example.
>> > > >
>> > > > That is, the token vendors and security folks do not represent the
>> > actual
>> > > > market comprising of end-users and service providers.
>> > > >
>> > > > Maybe this is a project primarily targeting the desktop?
>> > > > ___
>> > > > dev-platform mailing list
>> > > > dev-platform@lists.mozilla.org
>> > > > https://lists.mozilla.org/listinfo/dev-platform
>> > > >
>> >
>> > ___
>> > dev-platform mailing list
>> > dev-platform@lists.mozilla.org
>> > https://lists.mozilla.org/listinfo/dev-platform
>> >
>> ___
>> dev-platform mailing list
>> dev-platform@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-platform
>>
>
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[J.C. Jones]

Tom,

We're making progress on supporting the USB U2F HID token attestation
format; before the actual U2F/HID code starts appearing in-tree, there's
had to be some refactoring to handle things in a proper asynchronous way --
which is nearing review.

I'm working on that USB U2F support for OSX right now; Linux support is
also looking pretty OK, and we're planning to get Windows this quarter, too.

Independently, we're waiting on updating our Web Authentication
implementation from the WD-02 version currently in-tree, expecting a
significant refactor to happen aligning the way you use Web Authentication
with the W3C Credential Management specification. There's ongoing
discussion [1] and currently one pull request [2] to do that. That's
primarily why we haven't moved forward to the WD-04 draft yet - and we're
working on the HID support.

That said, we're still planning on exposing the USB U2F security key-type
devices only through the W3C Web Authentication API by default -- the older
FIDO U2F API that is currently hidden behind the `security.webauth.u2f`
preference [3] we're currently planning to keep hidden. It doesn't
implement the "Low-level MessagePort API", which makes a some sites that
depend on Chrome's u2f-api.js behave oddly.


[1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html
[2] https://github.com/w3c/webauthn/pull/384
[3] (and also the `security.webauth.u2f_enable_softtoken` preference, since
there's no USB support in-tree yet)

Cheers,
J.C.

On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster  wrote:

> So what's our status with regards to implementing FIDO u2f? I really would
> like to use my security key natively in Firefox.
>
> Best,
> Tom
>
> On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren <
> anders.rundgren@gmail.com> wrote:
>
> > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote:
> > > Anders,
> > >
> > > The first target I'm working on is Desktop, though I've plans in 2017
> to
> > > support WebAuthn on Android and iOS [1], too. WebAuthn already has
> > > definitions suitable for Android's Key Attestation [2] and SafetyNet
> > > formats [3], so they'll need implementations that tie into the
> > > dom::WebAuthentication class.
> >
> > That's great news!
> >
> > Regards,
> > Anders
> >
> > >
> > > Cheers,
> > > J.C.
> > >
> > > [1] https://wiki.mozilla.org/Security/CryptoEngineering#
> > Web_Authentication
> > > [2] https://w3c.github.io/webauthn/#android-key-attestation
> > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation
> > >
> > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren <
> > > anders.rundgren@gmail.com> wrote:
> > >
> > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren
> > wrote:
> > > > > It is a pity that external tokens have become the
> > > > > focus when the majority will rather rely on embedded
> > > > > security solutions which nowadays is a standard feature
> > > > > in Android and Windows platforms.
> > > >
> > > > Slight clarification to the above: The IoT folks pretty much build
> > 100% on
> > > > embedded security with car-keys as an obvious exception.
> > > >
> > > > On mobile I would say that over 99% of all existing security
> solutions
> > > > based on cryptographic keys are relying on embedded (or "App level")
> > keys
> > > > with Apple Pay as the most advanced example.
> > > >
> > > > That is, the token vendors and security folks do not represent the
> > actual
> > > > market comprising of end-users and service providers.
> > > >
> > > > Maybe this is a project primarily targeting the desktop?
> > > > ___
> > > > dev-platform mailing list
> > > > dev-platform@lists.mozilla.org
> > > > https://lists.mozilla.org/listinfo/dev-platform
> > > >
> >
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[Tom Schuster]

So what's our status with regards to implementing FIDO u2f? I really would
like to use my security key natively in Firefox.

Best,
Tom

On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren <
anders.rundgren@gmail.com> wrote:

> On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote:
> > Anders,
> >
> > The first target I'm working on is Desktop, though I've plans in 2017 to
> > support WebAuthn on Android and iOS [1], too. WebAuthn already has
> > definitions suitable for Android's Key Attestation [2] and SafetyNet
> > formats [3], so they'll need implementations that tie into the
> > dom::WebAuthentication class.
>
> That's great news!
>
> Regards,
> Anders
>
> >
> > Cheers,
> > J.C.
> >
> > [1] https://wiki.mozilla.org/Security/CryptoEngineering#
> Web_Authentication
> > [2] https://w3c.github.io/webauthn/#android-key-attestation
> > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation
> >
> > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren <
> > anders.rundgren@gmail.com> wrote:
> >
> > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren
> wrote:
> > > > It is a pity that external tokens have become the
> > > > focus when the majority will rather rely on embedded
> > > > security solutions which nowadays is a standard feature
> > > > in Android and Windows platforms.
> > >
> > > Slight clarification to the above: The IoT folks pretty much build
> 100% on
> > > embedded security with car-keys as an obvious exception.
> > >
> > > On mobile I would say that over 99% of all existing security solutions
> > > based on cryptographic keys are relying on embedded (or "App level")
> keys
> > > with Apple Pay as the most advanced example.
> > >
> > > That is, the token vendors and security folks do not represent the
> actual
> > > market comprising of end-users and service providers.
> > >
> > > Maybe this is a project primarily targeting the desktop?
> > > ___
> > > dev-platform mailing list
> > > dev-platform@lists.mozilla.org
> > > https://lists.mozilla.org/listinfo/dev-platform
> > >
>
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[Anders Rundgren]

On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote:
> Anders,
> 
> The first target I'm working on is Desktop, though I've plans in 2017 to
> support WebAuthn on Android and iOS [1], too. WebAuthn already has
> definitions suitable for Android's Key Attestation [2] and SafetyNet
> formats [3], so they'll need implementations that tie into the
> dom::WebAuthentication class.

That's great news!

Regards,
Anders

> 
> Cheers,
> J.C.
> 
> [1] https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication
> [2] https://w3c.github.io/webauthn/#android-key-attestation
> [3] https://w3c.github.io/webauthn/#android-safetynet-attestation
> 
> On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren <
> anders.rundgren@gmail.com> wrote:
> 
> > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote:
> > > It is a pity that external tokens have become the
> > > focus when the majority will rather rely on embedded
> > > security solutions which nowadays is a standard feature
> > > in Android and Windows platforms.
> >
> > Slight clarification to the above: The IoT folks pretty much build 100% on
> > embedded security with car-keys as an obvious exception.
> >
> > On mobile I would say that over 99% of all existing security solutions
> > based on cryptographic keys are relying on embedded (or "App level") keys
> > with Apple Pay as the most advanced example.
> >
> > That is, the token vendors and security folks do not represent the actual
> > market comprising of end-users and service providers.
> >
> > Maybe this is a project primarily targeting the desktop?
> > ___
> > dev-platform mailing list
> > dev-platform@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-platform
> >

___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[J.C. Jones]

Anders,

The first target I'm working on is Desktop, though I've plans in 2017 to
support WebAuthn on Android and iOS [1], too. WebAuthn already has
definitions suitable for Android's Key Attestation [2] and SafetyNet
formats [3], so they'll need implementations that tie into the
dom::WebAuthentication class.

Cheers,
J.C.

[1] https://wiki.mozilla.org/Security/CryptoEngineering#Web_Authentication
[2] https://w3c.github.io/webauthn/#android-key-attestation
[3] https://w3c.github.io/webauthn/#android-safetynet-attestation

On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren <
anders.rundgren@gmail.com> wrote:

> On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote:
> > It is a pity that external tokens have become the
> > focus when the majority will rather rely on embedded
> > security solutions which nowadays is a standard feature
> > in Android and Windows platforms.
>
> Slight clarification to the above: The IoT folks pretty much build 100% on
> embedded security with car-keys as an obvious exception.
>
> On mobile I would say that over 99% of all existing security solutions
> based on cryptographic keys are relying on embedded (or "App level") keys
> with Apple Pay as the most advanced example.
>
> That is, the token vendors and security folks do not represent the actual
> market comprising of end-users and service providers.
>
> Maybe this is a project primarily targeting the desktop?
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[Anders Rundgren]

On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren wrote:
> It is a pity that external tokens have become the
> focus when the majority will rather rely on embedded
> security solutions which nowadays is a standard feature
> in Android and Windows platforms.

Slight clarification to the above: The IoT folks pretty much build 100% on 
embedded security with car-keys as an obvious exception.

On mobile I would say that over 99% of all existing security solutions based on 
cryptographic keys are relying on embedded (or "App level") keys with Apple Pay 
as the most advanced example.

That is, the token vendors and security folks do not represent the actual 
market comprising of end-users and service providers.

Maybe this is a project primarily targeting the desktop?
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[Anders Rundgren]

It is a pity that external tokens have become the focus when the majority will 
rather rely on embedded security solutions which nowadays is a standard feature 
in Android and Windows platforms.

On Tuesday, November 15, 2016 at 8:47:49 PM UTC+1, JC Jones wrote:
> Apologies, this got caught in a filter. Re-sending for posterity on the
> list.
> -- Forwarded message --
> From: J.C. Jones
> Date: Tue, Nov 15, 2016 at 12:01 PM
> Subject: Re: Intent to implement and ship: Web Authentication
> To: berniepa...@gmail.com
> Cc: dev-platform@lists.mozilla.org
> 
> 
> Hey Bernie,
> 
> That's one possibility, but I expect WebAuthn to support the U2F
> attestation payloads in its MakeCredential and GetAssertion calls, and then
> Firefox will implement the U2F HID protocol initially rather than jumping
> to CTAP v1.1.
> 
> Cheers,
> J.C.
> 
> On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote:
> 
> > Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit :
> > > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit :
> > > > Bernie,
> > > >
> > > > You're right that the current WD does not contain the "U2F HID token"
> > > > attestation format, but the WG is _intending_ to add it [1] -- and
> > support
> > > > for such devices -- in Working Draft 4 [2] as soon as a larger
> > in-document
> > > > refactor is complete.
> > > >
> > > > I won't guarantee success at this point, but I believe it likely that
> > > > WebAuthn will ultimately support most fielded U2F HID-compliant
> > devices.
> > > >
> > > > [1] https://github.com/w3c/webauthn/issues/214
> > > > [2] https://github.com/w3c/webauthn/milestone/8
> > > >
> > > > Cheers!
> > > > J.C.
> > > >
> > > >
> > > >
> > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote:
> > > >
> > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> > > > > > The W3C Web Authentication Working Group [1] was formed to produce
> > a
> > > > > > browser-facing standard for using strong, cryptographic scoped
> > > > > credentials
> > > > > > to authenticate to web applications in an un-phishable way. The
> > Working
> > > > > > Group began working from specifications produced by the FIDO
> > Alliance,
> > > > > but
> > > > > > through the W3C process ensured there was a web-focus to the final
> > > > > result.
> > > > > >
> > > > > > We have been tracking the Web Authentication standard since last
> > year’s
> > > > > > FIDO U2F announcement [2],  and we believe Web Authentication
> > provides a
> > > > > > valuable augmentation to web application security in an inclusive
> > way. We
> > > > > > are proposing to implement the current draft specification for Web
> > > > > > Authentication [3], and then track the evolution through to its
> > final
> > > > > > Recommendation state.
> > > > > >
> > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to
> > support
> > > > > the
> > > > > > work of providing augmented security to user logins across the
> > Web. We
> > > > > > encouraged FIDO to evolve their browser specifications within the
> > W3C, to
> > > > > > enable larger community involvement than simply Alliance members.
> > This
> > > > > > specification is a result of that wider effort.
> > > > > >
> > > > > > Web Authentication defines a way to use credentials from a secure
> > element
> > > > > > to authenticate to web applications using public key cryptography.
> > As
> > > > > with
> > > > > > FIDO U2F, the browser’s role is mainly to provide the interface
> > between
> > > > > the
> > > > > > secure element (such as a USB dongle) and the web application, and
> > to
> > > > > > enforce a scoped security model to bind the resulting attestation
> > to the
> > > > > > specific web application.
> > > > > >
> > > > > > Web Authentication support is currently in development for
> > Microsoft Edge
> > > > > > [4] [5]. Google Chrome’s support is also in-developmen

Fwd: Intent to implement and ship: Web Authentication

[J.C. Jones]

Apologies, this got caught in a filter. Re-sending for posterity on the
list.
-- Forwarded message --
From: J.C. Jones
Date: Tue, Nov 15, 2016 at 12:01 PM
Subject: Re: Intent to implement and ship: Web Authentication
To: berniepa...@gmail.com
Cc: dev-platform@lists.mozilla.org


Hey Bernie,

That's one possibility, but I expect WebAuthn to support the U2F
attestation payloads in its MakeCredential and GetAssertion calls, and then
Firefox will implement the U2F HID protocol initially rather than jumping
to CTAP v1.1.

Cheers,
J.C.

On Mon, Nov 14, 2016 at 6:08 PM, <berniepa...@gmail.com> wrote:

> Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit :
> > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit :
> > > Bernie,
> > >
> > > You're right that the current WD does not contain the "U2F HID token"
> > > attestation format, but the WG is _intending_ to add it [1] -- and
> support
> > > for such devices -- in Working Draft 4 [2] as soon as a larger
> in-document
> > > refactor is complete.
> > >
> > > I won't guarantee success at this point, but I believe it likely that
> > > WebAuthn will ultimately support most fielded U2F HID-compliant
> devices.
> > >
> > > [1] https://github.com/w3c/webauthn/issues/214
> > > [2] https://github.com/w3c/webauthn/milestone/8
> > >
> > > Cheers!
> > > J.C.
> > >
> > >
> > >
> > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote:
> > >
> > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> > > > > The W3C Web Authentication Working Group [1] was formed to produce
> a
> > > > > browser-facing standard for using strong, cryptographic scoped
> > > > credentials
> > > > > to authenticate to web applications in an un-phishable way. The
> Working
> > > > > Group began working from specifications produced by the FIDO
> Alliance,
> > > > but
> > > > > through the W3C process ensured there was a web-focus to the final
> > > > result.
> > > > >
> > > > > We have been tracking the Web Authentication standard since last
> year’s
> > > > > FIDO U2F announcement [2],  and we believe Web Authentication
> provides a
> > > > > valuable augmentation to web application security in an inclusive
> way. We
> > > > > are proposing to implement the current draft specification for Web
> > > > > Authentication [3], and then track the evolution through to its
> final
> > > > > Recommendation state.
> > > > >
> > > > > Background: The Mozilla Foundation joined the FIDO Alliance to
> support
> > > > the
> > > > > work of providing augmented security to user logins across the
> Web. We
> > > > > encouraged FIDO to evolve their browser specifications within the
> W3C, to
> > > > > enable larger community involvement than simply Alliance members.
> This
> > > > > specification is a result of that wider effort.
> > > > >
> > > > > Web Authentication defines a way to use credentials from a secure
> element
> > > > > to authenticate to web applications using public key cryptography.
> As
> > > > with
> > > > > FIDO U2F, the browser’s role is mainly to provide the interface
> between
> > > > the
> > > > > secure element (such as a USB dongle) and the web application, and
> to
> > > > > enforce a scoped security model to bind the resulting attestation
> to the
> > > > > specific web application.
> > > > >
> > > > > Web Authentication support is currently in development for
> Microsoft Edge
> > > > > [4] [5]. Google Chrome’s support is also in-development.  Several
> > > > websites
> > > > > have deployed support for U2F, the predecessor to WebAuthn,
> including
> > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F
> devices in
> > > > use
> > > > > today which will function with the Web Authentication API.
> > > > >
> > > > > Proposed: To implement the Web Authentication API, with support
> for the
> > > > USB
> > > > > U2F HID token attestation format.
> > > > >
> > > > > Please send comments on this proposal to the list no later than 21
> > > > November
> > > > > 2016.
> > > >

Re: Intent to implement and ship: Web Authentication

[berniepavel]

Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit :
> Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit :
> > Bernie,
> > 
> > You're right that the current WD does not contain the "U2F HID token"
> > attestation format, but the WG is _intending_ to add it [1] -- and support
> > for such devices -- in Working Draft 4 [2] as soon as a larger in-document
> > refactor is complete.
> > 
> > I won't guarantee success at this point, but I believe it likely that
> > WebAuthn will ultimately support most fielded U2F HID-compliant devices.
> > 
> > [1] https://github.com/w3c/webauthn/issues/214
> > [2] https://github.com/w3c/webauthn/milestone/8
> > 
> > Cheers!
> > J.C.
> > 
> > 
> > 
> > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote:
> > 
> > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> > > > The W3C Web Authentication Working Group [1] was formed to produce a
> > > > browser-facing standard for using strong, cryptographic scoped
> > > credentials
> > > > to authenticate to web applications in an un-phishable way. The Working
> > > > Group began working from specifications produced by the FIDO Alliance,
> > > but
> > > > through the W3C process ensured there was a web-focus to the final
> > > result.
> > > >
> > > > We have been tracking the Web Authentication standard since last year’s
> > > > FIDO U2F announcement [2],  and we believe Web Authentication provides a
> > > > valuable augmentation to web application security in an inclusive way. 
> > > > We
> > > > are proposing to implement the current draft specification for Web
> > > > Authentication [3], and then track the evolution through to its final
> > > > Recommendation state.
> > > >
> > > > Background: The Mozilla Foundation joined the FIDO Alliance to support
> > > the
> > > > work of providing augmented security to user logins across the Web. We
> > > > encouraged FIDO to evolve their browser specifications within the W3C, 
> > > > to
> > > > enable larger community involvement than simply Alliance members. This
> > > > specification is a result of that wider effort.
> > > >
> > > > Web Authentication defines a way to use credentials from a secure 
> > > > element
> > > > to authenticate to web applications using public key cryptography. As
> > > with
> > > > FIDO U2F, the browser’s role is mainly to provide the interface between
> > > the
> > > > secure element (such as a USB dongle) and the web application, and to
> > > > enforce a scoped security model to bind the resulting attestation to the
> > > > specific web application.
> > > >
> > > > Web Authentication support is currently in development for Microsoft 
> > > > Edge
> > > > [4] [5]. Google Chrome’s support is also in-development.  Several
> > > websites
> > > > have deployed support for U2F, the predecessor to WebAuthn, including
> > > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in
> > > use
> > > > today which will function with the Web Authentication API.
> > > >
> > > > Proposed: To implement the Web Authentication API, with support for the
> > > USB
> > > > U2F HID token attestation format.
> > > >
> > > > Please send comments on this proposal to the list no later than 21
> > > November
> > > > 2016.
> > > >
> > > > [1] https://www.w3.org/blog/webauthn/
> > > >
> > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/
> > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ
> > > >
> > > > [3] https://www.w3.org/TR/webauthn/
> > > >
> > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
> > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97
> > > >
> > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/
> > > platform/status/
> > > > webauthenticationapi/?q=webauth
> > > >
> > > > - J.C., Crypto Engineering
> > >
> > > Hi,
> > >
> > > the company I am working for is a small member of the the FIDO alliance.
> > > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...)
> > >
> > > As far as I know, there are still several debates inside the Alliance but
> > > until recently it was never clearly stated that present U2F tokens/devices
> > > will be compatible with the next W3C WebAuthN (I rather understood the
> > > contrary as thre was nothing about this point inside the public w3C 
> > > drafts)
> > >
> > > So, do you have new/other information to back your proposition :
> > > "Proposed: To implement the Web Authentication API, with support for the
> > > USB
> > > U2F HID token attestation format."
> > >
> > > Did I miss something ? (that's possible, communication is kind of messy
> > > inside the Alliance...)
> > > ___
> > > dev-platform mailing list
> > > https://lists.mozilla.org/listinfo/dev-platform
> > >
> 
> hi JC,
> 
> I just realize that your are jcj_moz inside webauthn minutes I am reading 
> every weeks. I followed parts of the debates about CTAP, U2F attestation... 
> and how it appears and disappears on main 

Re: Intent to implement and ship: Web Authentication

[berniepavel]

Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit :
> Bernie,
> 
> You're right that the current WD does not contain the "U2F HID token"
> attestation format, but the WG is _intending_ to add it [1] -- and support
> for such devices -- in Working Draft 4 [2] as soon as a larger in-document
> refactor is complete.
> 
> I won't guarantee success at this point, but I believe it likely that
> WebAuthn will ultimately support most fielded U2F HID-compliant devices.
> 
> [1] https://github.com/w3c/webauthn/issues/214
> [2] https://github.com/w3c/webauthn/milestone/8
> 
> Cheers!
> J.C.
> 
> 
> 
> On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote:
> 
> > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> > > The W3C Web Authentication Working Group [1] was formed to produce a
> > > browser-facing standard for using strong, cryptographic scoped
> > credentials
> > > to authenticate to web applications in an un-phishable way. The Working
> > > Group began working from specifications produced by the FIDO Alliance,
> > but
> > > through the W3C process ensured there was a web-focus to the final
> > result.
> > >
> > > We have been tracking the Web Authentication standard since last year’s
> > > FIDO U2F announcement [2],  and we believe Web Authentication provides a
> > > valuable augmentation to web application security in an inclusive way. We
> > > are proposing to implement the current draft specification for Web
> > > Authentication [3], and then track the evolution through to its final
> > > Recommendation state.
> > >
> > > Background: The Mozilla Foundation joined the FIDO Alliance to support
> > the
> > > work of providing augmented security to user logins across the Web. We
> > > encouraged FIDO to evolve their browser specifications within the W3C, to
> > > enable larger community involvement than simply Alliance members. This
> > > specification is a result of that wider effort.
> > >
> > > Web Authentication defines a way to use credentials from a secure element
> > > to authenticate to web applications using public key cryptography. As
> > with
> > > FIDO U2F, the browser’s role is mainly to provide the interface between
> > the
> > > secure element (such as a USB dongle) and the web application, and to
> > > enforce a scoped security model to bind the resulting attestation to the
> > > specific web application.
> > >
> > > Web Authentication support is currently in development for Microsoft Edge
> > > [4] [5]. Google Chrome’s support is also in-development.  Several
> > websites
> > > have deployed support for U2F, the predecessor to WebAuthn, including
> > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in
> > use
> > > today which will function with the Web Authentication API.
> > >
> > > Proposed: To implement the Web Authentication API, with support for the
> > USB
> > > U2F HID token attestation format.
> > >
> > > Please send comments on this proposal to the list no later than 21
> > November
> > > 2016.
> > >
> > > [1] https://www.w3.org/blog/webauthn/
> > >
> > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/
> > > IVGEJnQW3Uo/Eu5tvyLmCgAJ
> > >
> > > [3] https://www.w3.org/TR/webauthn/
> > >
> > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
> > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97
> > >
> > > [5] https://developer.microsoft.com/en-us/microsoft-edge/
> > platform/status/
> > > webauthenticationapi/?q=webauth
> > >
> > > - J.C., Crypto Engineering
> >
> > Hi,
> >
> > the company I am working for is a small member of the the FIDO alliance.
> > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...)
> >
> > As far as I know, there are still several debates inside the Alliance but
> > until recently it was never clearly stated that present U2F tokens/devices
> > will be compatible with the next W3C WebAuthN (I rather understood the
> > contrary as thre was nothing about this point inside the public w3C drafts)
> >
> > So, do you have new/other information to back your proposition :
> > "Proposed: To implement the Web Authentication API, with support for the
> > USB
> > U2F HID token attestation format."
> >
> > Did I miss something ? (that's possible, communication is kind of messy
> > inside the Alliance...)
> > ___
> > dev-platform mailing list
> > https://lists.mozilla.org/listinfo/dev-platform
> >

hi JC,

I just realize that your are jcj_moz inside webauthn minutes I am reading every 
weeks. I followed parts of the debates about CTAP, U2F attestation... and how 
it appears and disappears on main w3c drafts... I even read 
https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO-COMPLETE-v2.0-rd-20161004.pdf
and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID and 
BT... (I a goin slightllyyy md)

Since you seem to a better perspective on these points, would you be kind 
enough to explain how U2F 

Re: Intent to implement and ship: Web Authentication

[J.C. Jones]

Bernie,

You're right that the current WD does not contain the "U2F HID token"
attestation format, but the WG is _intending_ to add it [1] -- and support
for such devices -- in Working Draft 4 [2] as soon as a larger in-document
refactor is complete.

I won't guarantee success at this point, but I believe it likely that
WebAuthn will ultimately support most fielded U2F HID-compliant devices.

[1] https://github.com/w3c/webauthn/issues/214
[2] https://github.com/w3c/webauthn/milestone/8

Cheers!
J.C.



On Sun, Nov 13, 2016 at 4:36 PM,  wrote:

> Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> > The W3C Web Authentication Working Group [1] was formed to produce a
> > browser-facing standard for using strong, cryptographic scoped
> credentials
> > to authenticate to web applications in an un-phishable way. The Working
> > Group began working from specifications produced by the FIDO Alliance,
> but
> > through the W3C process ensured there was a web-focus to the final
> result.
> >
> > We have been tracking the Web Authentication standard since last year’s
> > FIDO U2F announcement [2],  and we believe Web Authentication provides a
> > valuable augmentation to web application security in an inclusive way. We
> > are proposing to implement the current draft specification for Web
> > Authentication [3], and then track the evolution through to its final
> > Recommendation state.
> >
> > Background: The Mozilla Foundation joined the FIDO Alliance to support
> the
> > work of providing augmented security to user logins across the Web. We
> > encouraged FIDO to evolve their browser specifications within the W3C, to
> > enable larger community involvement than simply Alliance members. This
> > specification is a result of that wider effort.
> >
> > Web Authentication defines a way to use credentials from a secure element
> > to authenticate to web applications using public key cryptography. As
> with
> > FIDO U2F, the browser’s role is mainly to provide the interface between
> the
> > secure element (such as a USB dongle) and the web application, and to
> > enforce a scoped security model to bind the resulting attestation to the
> > specific web application.
> >
> > Web Authentication support is currently in development for Microsoft Edge
> > [4] [5]. Google Chrome’s support is also in-development.  Several
> websites
> > have deployed support for U2F, the predecessor to WebAuthn, including
> > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in
> use
> > today which will function with the Web Authentication API.
> >
> > Proposed: To implement the Web Authentication API, with support for the
> USB
> > U2F HID token attestation format.
> >
> > Please send comments on this proposal to the list no later than 21
> November
> > 2016.
> >
> > [1] https://www.w3.org/blog/webauthn/
> >
> > [2] https://groups.google.com/d/msg/mozilla.dev.platform/
> > IVGEJnQW3Uo/Eu5tvyLmCgAJ
> >
> > [3] https://www.w3.org/TR/webauthn/
> >
> > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
> > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97
> >
> > [5] https://developer.microsoft.com/en-us/microsoft-edge/
> platform/status/
> > webauthenticationapi/?q=webauth
> >
> > - J.C., Crypto Engineering
>
> Hi,
>
> the company I am working for is a small member of the the FIDO alliance.
> We are offering our own U2F USB HID tokens (and soon U2F BLE devices...)
>
> As far as I know, there are still several debates inside the Alliance but
> until recently it was never clearly stated that present U2F tokens/devices
> will be compatible with the next W3C WebAuthN (I rather understood the
> contrary as thre was nothing about this point inside the public w3C drafts)
>
> So, do you have new/other information to back your proposition :
> "Proposed: To implement the Web Authentication API, with support for the
> USB
> U2F HID token attestation format."
>
> Did I miss something ? (that's possible, communication is kind of messy
> inside the Alliance...)
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to implement and ship: Web Authentication

[berniepavel]

Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit :
> The W3C Web Authentication Working Group [1] was formed to produce a
> browser-facing standard for using strong, cryptographic scoped credentials
> to authenticate to web applications in an un-phishable way. The Working
> Group began working from specifications produced by the FIDO Alliance, but
> through the W3C process ensured there was a web-focus to the final result.
> 
> We have been tracking the Web Authentication standard since last year’s
> FIDO U2F announcement [2],  and we believe Web Authentication provides a
> valuable augmentation to web application security in an inclusive way. We
> are proposing to implement the current draft specification for Web
> Authentication [3], and then track the evolution through to its final
> Recommendation state.
> 
> Background: The Mozilla Foundation joined the FIDO Alliance to support the
> work of providing augmented security to user logins across the Web. We
> encouraged FIDO to evolve their browser specifications within the W3C, to
> enable larger community involvement than simply Alliance members. This
> specification is a result of that wider effort.
> 
> Web Authentication defines a way to use credentials from a secure element
> to authenticate to web applications using public key cryptography. As with
> FIDO U2F, the browser’s role is mainly to provide the interface between the
> secure element (such as a USB dongle) and the web application, and to
> enforce a scoped security model to bind the resulting attestation to the
> specific web application.
> 
> Web Authentication support is currently in development for Microsoft Edge
> [4] [5]. Google Chrome’s support is also in-development.  Several websites
> have deployed support for U2F, the predecessor to WebAuthn, including
> Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use
> today which will function with the Web Authentication API.
> 
> Proposed: To implement the Web Authentication API, with support for the USB
> U2F HID token attestation format.
> 
> Please send comments on this proposal to the list no later than 21 November
> 2016.
> 
> [1] https://www.w3.org/blog/webauthn/
> 
> [2] https://groups.google.com/d/msg/mozilla.dev.platform/
> IVGEJnQW3Uo/Eu5tvyLmCgAJ
> 
> [3] https://www.w3.org/TR/webauthn/
> 
> [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
> without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97
> 
> [5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/
> webauthenticationapi/?q=webauth
> 
> - J.C., Crypto Engineering

Hi,

the company I am working for is a small member of the the FIDO alliance.
We are offering our own U2F USB HID tokens (and soon U2F BLE devices...)

As far as I know, there are still several debates inside the Alliance but until 
recently it was never clearly stated that present U2F tokens/devices will be 
compatible with the next W3C WebAuthN (I rather understood the contrary as thre 
was nothing about this point inside the public w3C drafts)

So, do you have new/other information to back your proposition :
"Proposed: To implement the Web Authentication API, with support for the USB 
U2F HID token attestation format."

Did I miss something ? (that's possible, communication is kind of messy inside 
the Alliance...)
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to implement and ship: Web Authentication

[J.C. Jones]

The W3C Web Authentication Working Group [1] was formed to produce a
browser-facing standard for using strong, cryptographic scoped credentials
to authenticate to web applications in an un-phishable way. The Working
Group began working from specifications produced by the FIDO Alliance, but
through the W3C process ensured there was a web-focus to the final result.

We have been tracking the Web Authentication standard since last year’s
FIDO U2F announcement [2],  and we believe Web Authentication provides a
valuable augmentation to web application security in an inclusive way. We
are proposing to implement the current draft specification for Web
Authentication [3], and then track the evolution through to its final
Recommendation state.

Background: The Mozilla Foundation joined the FIDO Alliance to support the
work of providing augmented security to user logins across the Web. We
encouraged FIDO to evolve their browser specifications within the W3C, to
enable larger community involvement than simply Alliance members. This
specification is a result of that wider effort.

Web Authentication defines a way to use credentials from a secure element
to authenticate to web applications using public key cryptography. As with
FIDO U2F, the browser’s role is mainly to provide the interface between the
secure element (such as a USB dongle) and the web application, and to
enforce a scoped security model to bind the resulting attestation to the
specific web application.

Web Authentication support is currently in development for Microsoft Edge
[4] [5]. Google Chrome’s support is also in-development.  Several websites
have deployed support for U2F, the predecessor to WebAuthn, including
Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use
today which will function with the Web Authentication API.

Proposed: To implement the Web Authentication API, with support for the USB
U2F HID token attestation format.

Please send comments on this proposal to the list no later than 21 November
2016.

[1] https://www.w3.org/blog/webauthn/

[2] https://groups.google.com/d/msg/mozilla.dev.platform/
IVGEJnQW3Uo/Eu5tvyLmCgAJ

[3] https://www.w3.org/TR/webauthn/

[4] https://blogs.windows.com/msedgedev/2016/04/12/a-world-
without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97

[5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/
webauthenticationapi/?q=webauth

- J.C., Crypto Engineering
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform