Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > The W3C Web Authentication Working Group [1] was formed to produce a > browser-facing standard for using strong, cryptographic scoped credentials > to authenticate to web applications in an un-phishable way. The Working > Group began working from specifications produced by the FIDO Alliance, but > through the W3C process ensured there was a web-focus to the final result. > > We have been tracking the Web Authentication standard since last year’s > FIDO U2F announcement [2], and we believe Web Authentication provides a > valuable augmentation to web application security in an inclusive way. We > are proposing to implement the current draft specification for Web > Authentication [3], and then track the evolution through to its final > Recommendation state. > > Background: The Mozilla Foundation joined the FIDO Alliance to support the > work of providing augmented security to user logins across the Web. We > encouraged FIDO to evolve their browser specifications within the W3C, to > enable larger community involvement than simply Alliance members. This > specification is a result of that wider effort. > > Web Authentication defines a way to use credentials from a secure element > to authenticate to web applications using public key cryptography. As with > FIDO U2F, the browser’s role is mainly to provide the interface between the > secure element (such as a USB dongle) and the web application, and to > enforce a scoped security model to bind the resulting attestation to the > specific web application. > > Web Authentication support is currently in development for Microsoft Edge > [4] [5]. Google Chrome’s support is also in-development. Several websites > have deployed support for U2F, the predecessor to WebAuthn, including > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use > today which will function with the Web Authentication API. > > Proposed: To implement the Web Authentication API, with support for the USB > U2F HID token attestation format. > > Please send comments on this proposal to the list no later than 21 November > 2016. > > [1] https://www.w3.org/blog/webauthn/ > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > [3] https://www.w3.org/TR/webauthn/ > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > [5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ > webauthenticationapi/?q=webauth > > - J.C., Crypto Engineering
Hi, the company I am working for is a small member of the the FIDO alliance. We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) As far as I know, there are still several debates inside the Alliance but until recently it was never clearly stated that present U2F tokens/devices will be compatible with the next W3C WebAuthN (I rather understood the contrary as thre was nothing about this point inside the public w3C drafts) So, do you have new/other information to back your proposition : "Proposed: To implement the Web Authentication API, with support for the USB U2F HID token attestation format." Did I miss something ? (that's possible, communication is kind of messy inside the Alliance...) _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
