- From: Hodges, Jeff <jeff.hodges@paypal.com>
- Date: Mon, 14 Nov 2016 07:50:01 +0000
- To: W3C WebAuthn WG <public-webauthn@w3.org>
From: dev-platform <dev-platform-bounces+jeff.hodges=paypal.com@lists.mozilla.org> on behalf of "J.C. Jones" <jjones@mozilla.com> Date: Friday, November 11, 2016 at 1:18 PM To: "dev-platform@lists.mozilla.org" <dev-platform@lists.mozilla.org> Subject: Intent to implement and ship: Web Authentication The W3C Web Authentication Working Group [1] was formed to produce a browser-facing standard for using strong, cryptographic scoped credentials to authenticate to web applications in an un-phishable way. The Working Group began working from specifications produced by the FIDO Alliance, but through the W3C process ensured there was a web-focus to the final result. We have been tracking the Web Authentication standard since last yearšs FIDO U2F announcement [2], and we believe Web Authentication provides a valuable augmentation to web application security in an inclusive way. We are proposing to implement the current draft specification for Web Authentication [3], and then track the evolution through to its final Recommendation state. Background: The Mozilla Foundation joined the FIDO Alliance to support the work of providing augmented security to user logins across the Web. We encouraged FIDO to evolve their browser specifications within the W3C, to enable larger community involvement than simply Alliance members. This specification is a result of that wider effort. Web Authentication defines a way to use credentials from a secure element to authenticate to web applications using public key cryptography. As with FIDO U2F, the browseršs role is mainly to provide the interface between the secure element (such as a USB dongle) and the web application, and to enforce a scoped security model to bind the resulting attestation to the specific web application. Web Authentication support is currently in development for Microsoft Edge [4] [5]. Google Chromešs support is also in-development. Several websites have deployed support for U2F, the predecessor to WebAuthn, including Gmail, Dropbox, and Github. Additionally, there are many U2F devices in use today which will function with the Web Authentication API. Proposed: To implement the Web Authentication API, with support for the USB U2F HID token attestation format. Please send comments on this proposal to the list no later than 21 November 2016. [1] https://www.w3.org/blog/webauthn/ [2] https://groups.google.com/d/msg/mozilla.dev.platform/ IVGEJnQW3Uo/Eu5tvyLmCgAJ [3] https://www.w3.org/TR/webauthn/ [4] https://blogs.windows.com/msedgedev/2016/04/12/a-world- without-passwords-windows-hello-in-microsoft-edge/#XKWsxS6PwLOtBYrG.97 [5] https://developer.microsoft.com/en-us/microsoft-edge/platform/status/ webauthenticationapi/?q=webauth - J.C., Crypto Engineering _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Received on Monday, 14 November 2016 07:50:39 UTC