By the way, I just got informed (from Google) that TLS Channel ID, even if
activated on Google servers (including appspot), is only enforced for few users
for now (even If I am not sure how they do that :) )
So Firefox users should not be blocked for that reason :)
They seem to agree you probab
On Monday, February 8, 2016 at 10:54:36 PM UTC+1, Ryan Sleevi wrote:
> On Mon, Feb 8, 2016 at 1:13 PM, Frederic Martin wrote:
> >
> > 1) From a security architect perspective. This is an official
> > recommendation that makes sens to prevent MITM attacks. FIDO U2F was
> > created to minimize/elim
On Mon, Feb 8, 2016 at 10:13 PM, Frederic Martin
wrote:
> Hi,
>
> thanx for the answer.
>
> Quoting Dirk Balfanz (one of the TLS Channel ID specifications author, a
> few days ago on FIDO DEV forum):
>
> "the new spec that replaces ChannelID is called "Token Binding", and is in
> the process of b
On Mon, Feb 8, 2016 at 1:13 PM, Frederic Martin wrote:
>
> 1) From a security architect perspective. This is an official recommendation
> that makes sens to prevent MITM attacks. FIDO U2F was created to
> minimize/eliminate that kind of risk.
U2F itself addresses phishing. Token Binding (attempt
Hi,
thanx for the answer.
Quoting Dirk Balfanz (one of the TLS Channel ID specifications author, a few
days ago on FIDO DEV forum):
"the new spec that replaces ChannelID is called "Token Binding", and is in the
process of being standardized by the IETF
(https://datatracker.ietf.org/wg/tokbind
On Fri, Feb 5, 2016 at 3:22 PM, Fred Le Tamanoir
wrote:
> Hi,
>
> Great news about you making progress on this !
>
> Since I read here and there that you are working with Firefox & Chrome U2F
> support consistency in mind, what's your take on TLS Channel ID (Token
> Binding) support inside Firefo
Hi,
Great news about you making progress on this !
Since I read here and there that you are working with Firefox & Chrome U2F
support consistency in mind, what's your take on TLS Channel ID (Token
Binding) support inside Firefox ?
It is a recommended feature for FIDO U2F client (Firefox here) in
All,
We're making progress on implementing FIDO U2F in Firefox. The effort is
split into a number of bugs at present. First, a quick rundown of where we
are:
* The tracking bug for U2F support is Bug 1065729.
* Bug 1198330 is to implement USB HID support in Firefox.
* Bug 1231681 implements the W
On Wednesday, December 2, 2015 at 2:23:28 AM UTC+1, Richard Barnes wrote:
> The FIDO Alliance has been developing standards for hardware-based
> authentication of users by websites [1]. Their work is getting significant
> traction, so the Mozilla Foundation has decided to join the FIDO Alliance.
>
I'm no longer directly involved with the FIDO Alliance, so I can't speak to the
FIDO 2.0 timelines, but my general experience there plus at the W3C tells me
that it will some time before the new APIs stabilize. I hope that this won't
dissuade Mozilla from beginning work on implementing U2F more
On 12/04/2015 06:56 PM, smaug wrote:
Looks like the spec could be made implementable by fixing
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
"provide a namespace object u2f of the following interface" doesn't mean
a
Looks like the spec could be made implementable by fixing
https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#high-level-javascript-api
"provide a namespace object u2f of the following interface" doesn't mean
anything, so either there is supposed t
On 12/02/2015 11:37 PM, Frederic Martin wrote:
As I said in the other email,
I don't understand how this could be implemented when the spec has left the
>key piece undefined, as far as I see.
You are completely right ! For now, FIDO 2 is currently being written (far far
far from finished) and
Le jeudi 3 décembre 2015 01:28:51 UTC+1, Justin Dolske a écrit :
> On 12/2/15 6:48 AM, Richard Barnes wrote:
>
> > My initial intent was to propose implementing [1], then implementing [2]
> > when it's ready. After all, there's a lot in common, and as you say, >the
> > W3C version will be much n
> That said, I think we're in violent agreement that the specs are far, far,
> far from finished - and I'm unclear whether we're in agreement that one is
> under active development, while the other is a technological dead end which,
> through a series of unfortunate events, happened to have been
On 12/2/15 6:48 AM, Richard Barnes wrote:
My initial intent was to propose implementing [1], then implementing [2]
when it's ready. After all, there's a lot in common, and as you say, the
W3C version will be much nicer.
This seems like like a strange path to take. Why implement both?
From el
On Wednesday, December 2, 2015 at 3:08:44 PM UTC-8, Frederic Martin wrote:
> Sorry, but I don't understand why you are denying the evidence, anyone
> at Fido alliance will confirm that even non-public FIDO 2 drafts are far
> far far from finished. Regarding the glimpse that was published in W3c
>
Le mercredi 2 décembre 2015 23:43:00 UTC+1, Ryan Sleevi a écrit :
> On Wednesday, December 2, 2015 at 1:17:46 PM UTC-8, smaug wrote:
> > I don't understand how 1) could be implemented when the spec has left the
> > key piece undefined, as far as I see.
> > As the spec puts it "This specification d
On Wednesday, December 2, 2015 at 1:17:46 PM UTC-8, smaug wrote:
> I don't understand how 1) could be implemented when the spec has left the key
> piece undefined, as far as I see.
> As the spec puts it "This specification does not describe how such a port is
> made available to RP web pages, as
On Wed, Dec 2, 2015 at 1:11 PM, Frederic Martin
wrote:
> > > There are probably other questions Mozilla Core Team should ask to
> > > themselves :
> > >
> > > - Having a greater/larger HID Support, outside the FIDO U2F scope ?
> > > (This allows web services to communicate with HID devices - i.e.
>As I said in the other email,
>I don't understand how this could be implemented when the spec has left the
>>key piece undefined, as far as I see.
You are completely right ! For now, FIDO 2 is currently being written (far far
far from finished) and can't be implemented, so let's focus on exis
On 12/02/2015 03:23 AM, Richard Barnes wrote:
The FIDO Alliance has been developing standards for hardware-based
authentication of users by websites [1]. Their work is getting significant
traction, so the Mozilla Foundation has decided to join the FIDO Alliance.
Work has begun in the W3C to crea
On 12/02/2015 07:25 AM, ryan.sle...@gmail.com wrote:
On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote:
Oh well. Bummer.
/ Jonas
If it cheers you up any, the 2.0 API that replaces the U2F API uses promises -
http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/
R
> > There are probably other questions Mozilla Core Team should ask to
> > themselves :
> >
> > - Having a greater/larger HID Support, outside the FIDO U2F scope ?
> > (This allows web services to communicate with HID devices - i.e.
> > that's how some cryptocurrencies hardware wallets are using HI
On 2015-12-02 9:48 AM, Richard Barnes wrote:
On Wed, Dec 2, 2015 at 12:25 AM, wrote:
On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote:
Oh well. Bummer.
/ Jonas
If it cheers you up any, the 2.0 API that replaces the U2F API uses
promises - http://www.w3.org/Submission/2
On Wed, Dec 2, 2015 at 9:53 AM, Robert O'Callahan
wrote:
> On Wed, Dec 2, 2015 at 9:37 AM, Eric Rescorla wrote:
>
>> Are you thinking of something like WebUSB?
>> (https://reillyeon.github.io/webusb/)? This is something we've looked at
>> a bit but we're still trying to wrap our heads around the
On 02.12.2015 18:53, Robert O'Callahan wrote:
> On Wed, Dec 2, 2015 at 9:37 AM, Eric Rescorla wrote:
>
>> Are you thinking of something like WebUSB?
>> (https://reillyeon.github.io/webusb/)? This is something we've looked at
>> a bit but we're still trying to wrap our heads around the security
>>
On Wed, Dec 2, 2015 at 9:37 AM, Eric Rescorla wrote:
> Are you thinking of something like WebUSB?
> (https://reillyeon.github.io/webusb/)? This is something we've looked at
> a bit but we're still trying to wrap our heads around the security
> implications.
>
Where are we discussing that? I'd re
Hi Freddie, glad to see people so excited about it.
On Wed, Dec 2, 2015 at 8:22 AM, wrote:
>
> So, let's forget about 2 for now, it is not a real thing... and
> well.. let's forget it. (If you read both specs you should see
> real differences and problems...)
>
> There are probably other question
Hi All, great news !
TL;DR version:
--
I love U2F, I love Firefox
FIDO U2F is here to stay.
FIDO 2.0 do not exist and will not replace U2F.
FIDO U2F is really great.
Please implement FIDO U2F.
Please please please implement TLS Channel ID Binding support
(important part of FIDO U2F s
On 12/2/15 8:53 AM, Ms2ger wrote:
I don't remember what the current conventional wisdom about
prefixing is, but I would be open to shipping with a prefix if
people thought that would ease pain in the eventual transition.
No. Nonononononononono.
This is the conventional wisdom. Prefixes end up
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 12/02/2015 03:48 PM, Richard Barnes wrote:
> I think we would treat this just like we treat other early-stage
> things that get shipped, gradually turning it off when the real
> thing shows up.
That would mean only shipping it on Nightly and maybe
On Wed, Dec 2, 2015 at 12:25 AM, wrote:
> On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote:
> > Oh well. Bummer.
> >
> > / Jonas
>
> If it cheers you up any, the 2.0 API that replaces the U2F API uses
> promises - http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/
On Tuesday, December 1, 2015 at 6:04:30 PM UTC-8, Jonas Sicking wrote:
> Oh well. Bummer.
>
> / Jonas
If it cheers you up any, the 2.0 API that replaces the U2F API uses promises -
http://www.w3.org/Submission/2015/SUBM-fido-web-api-20151120/
Richard, it would help if you could clarify - are yo
Oh well. Bummer.
/ Jonas
On Tue, Dec 1, 2015 at 5:36 PM, Richard Barnes wrote:
> It's my understanding that U2F qua U2F is considered pretty much baked by
> the developer community, and there's already code written to it. But these
> concerns will be great for the W3C group and the successor AP
It's my understanding that U2F qua U2F is considered pretty much baked by
the developer community, and there's already code written to it. But these
concerns will be great for the W3C group and the successor API. I've got a
similar list started related to crypto and future-proofing.
On Tue, Dec
Any chance that the API can be made a little more JS friendly? First
thing that stands out is the use of success/error callbacks rather
than the use of Promises.
Also the use of numeric codes, rather than string values, is a pattern
that the web has generally moved away from.
/ Jonas
On Tue, Dec
The FIDO Alliance has been developing standards for hardware-based
authentication of users by websites [1]. Their work is getting significant
traction, so the Mozilla Foundation has decided to join the FIDO Alliance.
Work has begun in the W3C to create open standards using FIDO as a starting
point
38 matches
Mail list logo