Le lundi 14 novembre 2016 22:41:37 UTC+1, berni...@gmail.com a écrit : > Le lundi 14 novembre 2016 18:34:11 UTC+1, JC Jones a écrit : > > Bernie, > > > > You're right that the current WD does not contain the "U2F HID token" > > attestation format, but the WG is _intending_ to add it [1] -- and support > > for such devices -- in Working Draft 4 [2] as soon as a larger in-document > > refactor is complete. > > > > I won't guarantee success at this point, but I believe it likely that > > WebAuthn will ultimately support most fielded U2F HID-compliant devices. > > > > [1] https://github.com/w3c/webauthn/issues/214 > > [2] https://github.com/w3c/webauthn/milestone/8 > > > > Cheers! > > J.C. > > > > > > > > On Sun, Nov 13, 2016 at 4:36 PM, Bernie wrote: > > > > > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > > > The W3C Web Authentication Working Group [1] was formed to produce a > > > > browser-facing standard for using strong, cryptographic scoped > > > credentials > > > > to authenticate to web applications in an un-phishable way. The Working > > > > Group began working from specifications produced by the FIDO Alliance, > > > but > > > > through the W3C process ensured there was a web-focus to the final > > > result. > > > > > > > > We have been tracking the Web Authentication standard since last year’s > > > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > > > valuable augmentation to web application security in an inclusive way. > > > > We > > > > are proposing to implement the current draft specification for Web > > > > Authentication [3], and then track the evolution through to its final > > > > Recommendation state. > > > > > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > > > the > > > > work of providing augmented security to user logins across the Web. We > > > > encouraged FIDO to evolve their browser specifications within the W3C, > > > > to > > > > enable larger community involvement than simply Alliance members. This > > > > specification is a result of that wider effort. > > > > > > > > Web Authentication defines a way to use credentials from a secure > > > > element > > > > to authenticate to web applications using public key cryptography. As > > > with > > > > FIDO U2F, the browser’s role is mainly to provide the interface between > > > the > > > > secure element (such as a USB dongle) and the web application, and to > > > > enforce a scoped security model to bind the resulting attestation to the > > > > specific web application. > > > > > > > > Web Authentication support is currently in development for Microsoft > > > > Edge > > > > [4] [5]. Google Chrome’s support is also in-development. Several > > > websites > > > > have deployed support for U2F, the predecessor to WebAuthn, including > > > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > > > use > > > > today which will function with the Web Authentication API. > > > > > > > > Proposed: To implement the Web Authentication API, with support for the > > > USB > > > > U2F HID token attestation format. > > > > > > > > Please send comments on this proposal to the list no later than 21 > > > November > > > > 2016. > > > > > > > > [1] https://www.w3.org/blog/webauthn/ > > > > > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > > > > > [3] https://www.w3.org/TR/webauthn/ > > > > > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > > > platform/status/ > > > > webauthenticationapi/?q=webauth > > > > > > > > - J.C., Crypto Engineering > > > > > > Hi, > > > > > > the company I am working for is a small member of the the FIDO alliance. > > > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > > > > > As far as I know, there are still several debates inside the Alliance but > > > until recently it was never clearly stated that present U2F tokens/devices > > > will be compatible with the next W3C WebAuthN (I rather understood the > > > contrary as thre was nothing about this point inside the public w3C > > > drafts) > > > > > > So, do you have new/other information to back your proposition : > > > "Proposed: To implement the Web Authentication API, with support for the > > > USB > > > U2F HID token attestation format." > > > > > > Did I miss something ? (that's possible, communication is kind of messy > > > inside the Alliance...) > > > _______________________________________________ > > > dev-platform mailing list > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > hi JC, > > I just realize that your are jcj_moz inside webauthn minutes I am reading > every weeks. I followed parts of the debates about CTAP, U2F attestation... > and how it appears and disappears on main w3c drafts... I even read > https://fidoalliance.org/specs/fido-v2.0-rd-20161004/FIDO-COMPLETE-v2.0-rd-20161004.pdf > and I still don't get it... CTAPHID, CTAPBT are never linked to U2F HID and > BT... (I ammmm goingggg slightllyyy maaaad) > > Since you seem to a better perspective on these points, would you be kind > enough to explain how U2F will be dealt with to be compatible with WebAuthN > architecture ? Thanx !
oh I got it now... it seems there was a change of direction in CTAP 1.1 to be now compatible with U2F... so regarding CTAP 1.1 (and not CTAP 2.0), CTAP HID <=> U2F USB, CTAP NFC <=> U2F NFC and CTAP BT <=> U2F BT... and "Channel ID" MITM protection is now replaced by "Token Binding ID" but it should stay compatible too... So now, you'll have to finalize CTAP 1.1 (and U2F BT by the way) Am I correct on this ? _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
