Tom, We're making progress on supporting the USB U2F HID token attestation format; before the actual U2F/HID code starts appearing in-tree, there's had to be some refactoring to handle things in a proper asynchronous way -- which is nearing review.
I'm working on that USB U2F support for OSX right now; Linux support is also looking pretty OK, and we're planning to get Windows this quarter, too. Independently, we're waiting on updating our Web Authentication implementation from the WD-02 version currently in-tree, expecting a significant refactor to happen aligning the way you use Web Authentication with the W3C Credential Management specification. There's ongoing discussion [1] and currently one pull request [2] to do that. That's primarily why we haven't moved forward to the WD-04 draft yet - and we're working on the HID support. That said, we're still planning on exposing the USB U2F security key-type devices only through the W3C Web Authentication API by default -- the older FIDO U2F API that is currently hidden behind the `security.webauth.u2f` preference [3] we're currently planning to keep hidden. It doesn't implement the "Low-level MessagePort API", which makes a some sites that depend on Chrome's u2f-api.js behave oddly. [1] https://lists.w3.org/Archives/Public/public-webauthn/2017Apr/0162.html [2] https://github.com/w3c/webauthn/pull/384 [3] (and also the `security.webauth.u2f_enable_softtoken` preference, since there's no USB support in-tree yet) Cheers, J.C. On Tue, Apr 11, 2017 at 5:05 AM, Tom Schuster <t...@schuster.me> wrote: > So what's our status with regards to implementing FIDO u2f? I really would > like to use my security key natively in Firefox. > > Best, > Tom > > On Sat, Dec 3, 2016 at 5:47 AM, Anders Rundgren < > anders.rundgren....@gmail.com> wrote: > > > On Friday, December 2, 2016 at 10:27:30 PM UTC+1, JC Jones wrote: > > > Anders, > > > > > > The first target I'm working on is Desktop, though I've plans in 2017 > to > > > support WebAuthn on Android and iOS [1], too. WebAuthn already has > > > definitions suitable for Android's Key Attestation [2] and SafetyNet > > > formats [3], so they'll need implementations that tie into the > > > dom::WebAuthentication class. > > > > That's great news! > > > > Regards, > > Anders > > > > > > > > Cheers, > > > J.C. > > > > > > [1] https://wiki.mozilla.org/Security/CryptoEngineering# > > Web_Authentication > > > [2] https://w3c.github.io/webauthn/#android-key-attestation > > > [3] https://w3c.github.io/webauthn/#android-safetynet-attestation > > > > > > On Wed, Nov 30, 2016 at 10:54 PM, Anders Rundgren < > > > anders.rundgren....@gmail.com> wrote: > > > > > > > On Wednesday, November 30, 2016 at 5:42:30 PM UTC+1, Anders Rundgren > > wrote: > > > > > It is a pity that external tokens have become the > > > > > focus when the majority will rather rely on embedded > > > > > security solutions which nowadays is a standard feature > > > > > in Android and Windows platforms. > > > > > > > > Slight clarification to the above: The IoT folks pretty much build > > 100% on > > > > embedded security with car-keys as an obvious exception. > > > > > > > > On mobile I would say that over 99% of all existing security > solutions > > > > based on cryptographic keys are relying on embedded (or "App level") > > keys > > > > with Apple Pay as the most advanced example. > > > > > > > > That is, the token vendors and security folks do not represent the > > actual > > > > market comprising of end-users and service providers. > > > > > > > > Maybe this is a project primarily targeting the desktop? > > > > _______________________________________________ > > > > dev-platform mailing list > > > > dev-platform@lists.mozilla.org > > > > https://lists.mozilla.org/listinfo/dev-platform > > > > > > > > _______________________________________________ > > dev-platform mailing list > > dev-platform@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-platform > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
