On Sunday, January 29, 2017 at 8:36:57 AM UTC+1, Anders Rundgren wrote: > Feel free calling me a troll, but there is a rationale behind my ramblings on > https://bugzilla.mozilla.org/show_bug.cgi?id=1065729 > > The bug is named "Implement the FIDO Alliance u2f javascript API". > > The spec is here: https://www.w3.org/TR/webauthn/ > > "In one extreme case, the authenticator may be embedded in the client, > and its bindings may be no more trustworthy than the ClientData. > At the other extreme, the authenticator may be a discrete entity with > high-security hardware and software" > > Anyway, what I (early on) suggested was not deprecating the USB token > project, but looking into the possibility offering a soft token solution as > well. > > Then suddenly, Mozilla announces that they indeed have a soft token > solution(!) which they don't want to productify since that would potentially > give them "badwill" since that solution would be less secure than the "real" > solution. 800 million Chinese folks using soft payment tokens seem to have > survived. > > Now to the "funny" part. Mozilla, Google, and Microsoft have spent huge > resources on defining and implementing a standard called WebCrypto. > > AFAICT, this scheme should have close to identical security characteristics > to a soft U2F solution! > > I believe that it would pretty inconvenient for Google who is the engine > behind U2F, to screw all their HW partners by offering a soft solution. > Mozilla does not have this problem. > > This is not a question about security, but about product management.
Would it be possible getting some kind of feedback on my claim regarding the security of WebCrypto versus soft token U2F? _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
