Hi Freddie, glad to see people so excited about it. On Wed, Dec 2, 2015 at 8:22 AM, <fredletaman...@gmail.com> wrote: > > So, let's forget about 2 for now, it is not a real thing... and > well.. let's forget it. (If you read both specs you should see > real differences and problems...) > > There are probably other questions Mozilla Core Team should ask to > themselves : > > - Having a greater/larger HID Support, outside the FIDO U2F scope ? > (This allows web services to communicate with HID devices - i.e. > that's how some cryptocurrencies hardware wallets are using HID > Chrome interface) >
Are you thinking of something like WebUSB? (https://reillyeon.github.io/webusb/)? This is something we've looked at a bit but we're still trying to wrap our heads around the security implications. - Have TLS Channel ID Binding support. (Oh, this is really important) > When you'll check FIDO U2F specifications, you'll see that TLS Channel > ID Binding is an important part of the security against attacks like > SSL Proxy and similar MITM attacks. This part is not mandatory. But > Google servers are using this and Chrome supports it. So... please > REALLY consider implementing it: it will bring higher security and > probably will give a chance too in the future to be accepted as a > supported browser on Google servers (I am not from Google so I can't > speak on their behalf but this should be a rational requirements there). > This is the only way to provide a full anti-phishing solution. > My understanding is that Channel ID is being superseded by token binding (https://datatracker.ietf.org/wg/tokbind/charter/), so if we do something in this area, it's more likely we would do token binding than channel ID, I expect. -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
