Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > Bernie, > > You're right that the current WD does not contain the "U2F HID token" > attestation format, but the WG is _intending_ to add it [1] -- and support > for such devices -- in Working Draft 4 [2] as soon as a larger in-document > refactor is complete. > > I won't guarantee success at this point, but I believe it likely that > WebAuthn will ultimately support most fielded U2F HID-compliant devices. > > [1] https://github.com/w3c/webauthn/issues/214 > [2] https://github.com/w3c/webauthn/milestone/8 > > Cheers! > J.C. > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > The W3C Web Authentication Working Group [1] was formed to produce a > > > browser-facing standard for using strong, cryptographic scoped > > credentials > > > to authenticate to web applications in an un-phishable way. The Working > > > Group began working from specifications produced by the FIDO Alliance, > > but > > > through the W3C process ensured there was a web-focus to the final > > result. > > > > > > We have been tracking the Web Authentication standard since last year’s > > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > > valuable augmentation to web application security in an inclusive way. We > > > are proposing to implement the current draft specification for Web > > > Authentication [3], and then track the evolution through to its final > > > Recommendation state. > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > > the > > > work of providing augmented security to user logins across the Web. We > > > encouraged FIDO to evolve their browser specifications within the W3C, to > > > enable larger community involvement than simply Alliance members. This > > > specification is a result of that wider effort. > > > > > > Web Authentication defines a way to use credentials from a secure element > > > to authenticate to web applications using public key cryptography. As > > with > > > FIDO U2F, the browser’s role is mainly to provide the interface between > > the > > > secure element (such as a USB dongle) and the web application, and to > > > enforce a scoped security model to bind the resulting attestation to the > > > specific web application. > > > > > > Web Authentication support is currently in development for Microsoft Edge > > > [4] [5]. Google Chrome’s support is also in-development. Several > > websites > > > have deployed support for U2F, the predecessor to WebAuthn, including > > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > > use > > > today which will function with the Web Authentication API. > > > > > > Proposed: To implement the Web Authentication API, with support for the > > USB > > > U2F HID token attestation format. > > > > > > Please send comments on this proposal to the list no later than 21 > > November > > > 2016. > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > platform/status/ > > > webauthenticationapi/?q=webauth > > > > > > - J.C., Crypto Engineering > > > > Hi, > > > > the company I am working for is a small member of the the FIDO alliance. > > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > > > As far as I know, there are still several debates inside the Alliance but > > until recently it was never clearly stated that present U2F tokens/devices > > will be compatible with the next W3C WebAuthN (I rather understood the > > contrary as thre was nothing about this point inside the public w3C drafts) > > > > So, do you have new/other information to back your proposition : > > "Proposed: To implement the Web Authentication API, with support for the > > USB > > U2F HID token attestation format." > > > > Did I miss something ? (that's possible, communication is kind of messy > > inside the Alliance...) > > _______________________________________________ > > dev-platform mailing list > > https://lists.mozilla.org/listinfo/dev-platform > >
hi JC, I just realize that your are jcj_moz inside webauthn minutes I am reading every weeks. I followed parts of the debates about CTAP, U2F attestation... and how it appears and disappears on main w3c drafts... I even read https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO-COMPLETE-v2.0-rd-20161004.pdf and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID and BT... (I ammmm goingggg slightllyyy maaaad) Since you seem to a better perspective on these points, would you be kind enough to explain how U2F will be dealt with to be compatible with WebAuthN architecture ? Thanx ! _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
