Bernie, You're right that the current WD does not contain the "U2F HID token" attestation format, but the WG is _intending_ to add it [1] -- and support for such devices -- in Working Draft 4 [2] as soon as a larger in-document refactor is complete.
I won't guarantee success at this point, but I believe it likely that WebAuthn will ultimately support most fielded U2F HID-compliant devices. [1] https://github.com/w3c/webauthn/issues/214 [2] https://github.com/w3c/webauthn/milestone/8 Cheers! J.C. On Sun, Nov 13, 2016 at 4:36 PM, <berniepa...@gmail.com> wrote: > Le vendredi 11 novembre 2016 22:18:58 UTC+1, JC Jones a écrit : > > The W3C Web Authentication Working Group [1] was formed to produce a > > browser-facing standard for using strong, cryptographic scoped > credentials > > to authenticate to web applications in an un-phishable way. The Working > > Group began working from specifications produced by the FIDO Alliance, > but > > through the W3C process ensured there was a web-focus to the final > result. > > > > We have been tracking the Web Authentication standard since last year’s > > FIDO U2F announcement [2], and we believe Web Authentication provides a > > valuable augmentation to web application security in an inclusive way. We > > are proposing to implement the current draft specification for Web > > Authentication [3], and then track the evolution through to its final > > Recommendation state. > > > > Background: The Mozilla Foundation joined the FIDO Alliance to support > the > > work of providing augmented security to user logins across the Web. We > > encouraged FIDO to evolve their browser specifications within the W3C, to > > enable larger community involvement than simply Alliance members. This > > specification is a result of that wider effort. > > > > Web Authentication defines a way to use credentials from a secure element > > to authenticate to web applications using public key cryptography. As > with > > FIDO U2F, the browser’s role is mainly to provide the interface between > the > > secure element (such as a USB dongle) and the web application, and to > > enforce a scoped security model to bind the resulting attestation to the > > specific web application. > > > > Web Authentication support is currently in development for Microsoft Edge > > [4] [5]. Google Chrome’s support is also in-development. Several > websites > > have deployed support for U2F, the predecessor to WebAuthn, including > > Gmail, Dropbox, and Github. Additionally, there are many U2F devices in > use > > today which will function with the Web Authentication API. > > > > Proposed: To implement the Web Authentication API, with support for the > USB > > U2F HID token attestation format. > > > > Please send comments on this proposal to the list no later than 21 > November > > 2016. > > > > [1] https://www.w3.org/blog/webauthn/ > > > > [2] https://groups.google.com/d/msg/mozilla.dev.platform/ > > IVGEJnQW3Uo/Eu5tvyLmCgAJ > > > > [3] https://www.w3.org/TR/webauthn/ > > > > [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- > > without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 > > > > [5] https://developer.microsoft.com/en-us/microsoft-edge/ > platform/status/ > > webauthenticationapi/?q=webauth > > > > - J.C., Crypto Engineering > > Hi, > > the company I am working for is a small member of the the FIDO alliance. > We are offering our own U2F USB HID tokens (and soon U2F BLE devices...) > > As far as I know, there are still several debates inside the Alliance but > until recently it was never clearly stated that present U2F tokens/devices > will be compatible with the next W3C WebAuthN (I rather understood the > contrary as thre was nothing about this point inside the public w3C drafts) > > So, do you have new/other information to back your proposition : > "Proposed: To implement the Web Authentication API, with support for the > USB > U2F HID token attestation format." > > Did I miss something ? (that's possible, communication is kind of messy > inside the Alliance...) > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
