Chrome ships with a built-in extension that exposes the high-level API (which I think we all agree is a hack). We recently had this discussion <https://groups.google.com/a/chromium.org/d/msg/blink-dev/wfIVkXvQ7kQ/VfuOr_FhBwAJ> about the right path forward here, and agreed that we should instead focus our efforts <https://groups.google.com/a/chromium.org/forum/#!searchin/blink-dev/u2f%7Csort:relevance/blink-dev/qCJhuuZH5p0/le6l1t37AQAJ> on the Web Authentication API <https://w3c.github.io/webauthn/> instead, since it seemed much more likely to be something that would become interoperable between browsers.
On Wed, Feb 22, 2017 at 3:46 PM, Sam Weinig <[email protected]> wrote: > > On Feb 22, 2017, at 5:52 AM, Jacob Greenfield <[email protected]> wrote: > > I’m working on adding support to WebKit for FIDO U2F (JS API: > https://fidoalliance.org/specs/fido-u2f-v1.1-id- > 20160915/fido-u2f-javascript-api-v1.1-id-20160915.html Architecture > overview: https://fidoalliance.org/specs/fido-u2f-v1.1-id- > 20160915/fido-u2f-overview-v1.1-id-20160915.html ). The FIDO U2F > specification allows a secure second factor to be used during > authentication flow, with bidirectional verification (token verifies > server, server verifies token and token’s knowledge of a specific private > key). There are current implementations in Chrome, Opera, and Blink > (Firefox). I’m primarily interested in bringing support to Safari, so that > is the focus what I am currently working on. > > > Hi Jacob, and welcome to WebKit. > > I went looking for how to use the feature in Chrome and Firefox (I assume > you meant Gecko (Firefox), not Blink (Firefox)) I’m a little confused as to > how this feature is exposed in the other browsers. On the topic of the > low-level MessagePort API, section 3 states “This specification does not > describe how such a port is made available to RP web pages, as this is (for > now) implementation and browser dependent” (https://fidoalliance.org/ > specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript- > api-v1.1-id-20160915.html#api-levels). Similarly, for the high-level > API, it states in section 3.2, “Implementations may choose how to make such > an API available to RP web pages. If such an API is provided, > it should provide a namespace object u2f of the following interface" ( > https://fidoalliance.org/specs/fido-u2f-v1.1-id- > 20160915/fido-u2f-javascript-api-v1.1-id-20160915.html# > high-level-javascript-api). > > Do you have insight into how either of these APIs are exposed in other > browsers? How do you plan on exposing them in WebKit? > > I should say, generally, I am concerned with APIs that leave important > details like how the APIs are exposed to the implementation, as they lead > to non-interoperable implementations. > > Thanks, > - Sam > > > _______________________________________________ > webkit-dev mailing list > [email protected] > https://lists.webkit.org/mailman/listinfo/webkit-dev > >
_______________________________________________ webkit-dev mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-dev
