fyi: Intent to Implement and ship: aligning U2F attestation with webauthn from =JeffH on 2018-02-07 (public-webauthn@w3.org from February 2018)

From: =JeffH <Jeff.Hodges@KingsMountain.com>
Date: Wed, 7 Feb 2018 07:51:18 -0800
To: W3C Web Authn WG <public-webauthn@w3.org>
Message-ID: <3f68dbaf-718d-2363-e4b0-39042c8e9253@KingsMountain.com>

Of possible interest:

Intent to Implement and ship: aligning U2F attestation with webauthn
<https://groups.google.com/a/chromium.org/forum/?fromgroups=#!topic/blink-dev/ACm00_XFI7s>

From: Adam Langley <a...@chromium.org>
Date: Tue, 6 Feb 2018 17:05:04 -0800
Subject: Intent to Implement and ship: aligning U2F attestation with 
webauthn
To: blink-dev <blin...@chromium.org>

Chrome has never supported the FIDO U2F API
<https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html>
directly. However, it does ship with an internal extension and it's
possible to implement the U2F API by using postMessage to send messages 
to this extension if you know its ID.

Chromium/Blink is implementing the W3C webauthn specification
<https://www.chromestatus.com/feature/5669923372138496> which will
ultimately subsume the U2F API and have cross-browser support. As part 
of that transition we are aligning attestation behaviour between 
webauthn and our pseudo-U2F support.

This does not involve any Blink changes but a handful of sites do 
implement U2F by postMessaging our internal extension, thus web 
developers may need to be aware of this.

Starting with Chrome 66 an additional member of the RegisterRequest
<https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#dictionary-registerrequest-members> 
object is supported that mirrors
AttestationConveyancePreference
<https://w3c.github.io/webauthn/#attestation-convey> from webauthn. 
Sites that have been using the U2F API will experience a change in 
behavior as the default will no longer cause the device's attestation 
information to be returned. To get the old behavior, sites should add an 
"attestation" member to the RegisterRequest
<https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-javascript-api-v1.2-ps-20170411.html#dictionary-registerrequest-members> 
object with the value "direct". However, they should note that this will 
trigger a permission prompt. This new behaviour is the same as specified 
by webauthn.

Only a single site is known to care about the attestation information in
U2F and we will be contacting them directly in advance of this.

There is an enterprise policy option to additionally control things. For 
full details, see https://www.chromium.org/security-keys

This is https://www.chromestatus.com/features/5667614588141568

Cheers

AGL

Received on Wednesday, 7 February 2018 15:53:23 UTC