Closed
Bug 1416056
Opened 7 years ago
Closed 7 years ago
Web Authentication - Default to "None Attestation"
Categories
(Core :: DOM: Device Interfaces, enhancement, P1)
Core
DOM: Device Interfaces
Tracking
()
RESOLVED
FIXED
Future
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | fixed |
People
(Reporter: jcj, Assigned: ttaubert)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [webauthn])
Attachments
(1 file, 1 obsolete file)
WebAuthn has an attestation type that permits the UA to replace the attestation certificate produced by an authenticator with a self-signed one. Basically, strip out the cert and signature in the Create operation, and perform the just-in-time cert-generation-and-sign functions from our soft token.
We should use this attestation type in Private Browsing mode. We should also expose a pref to enable this by default, for users that prefer cloaking the certificates. (Tor Browser, maybe?)
|
Reporter | |
Comment 1•7 years ago
|
||
Update: We don't want this to be something that is Private Browsing vs. not, as it could be used to ascertain whether or not PB is in use. Let's just add the feature, and we'll use it in Bug 1428916.
I'm assigning this to you, Tim, as I think designing the code move out of U2FSoftTokenManager (and into ... somewhere) is something you're closer to.
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Priority: P2 → P1
Summary: Web Authentication - Use "Self Attestation" certificates in Private Browsing mode → Web Authentication - Support replacing device certificates with "Self Attestation" certificates
|
|
Reporter | |
Comment 2•7 years ago
|
||
Oh: I don't think this needs a pref. I think it needs only the Conveyance in Bug 1428916 and some UX to come in a follow-on bug.
|
|
Reporter | |
Comment 3•7 years ago
|
||
Note for the implementor -- you should review https://github.com/w3c/webauthn/pull/741 and see if that's something we want to plan for / to do also, instead of just adjusting the u2f attestation type. (I think we can't, actually, for u2f devices, but I'm not certain of that!)
|
|
Reporter | |
Updated•7 years ago
|
|
|
Reporter | |
Comment 4•7 years ago
|
||
Further thoughts: I think the code from the Soft Token should remain, to help testing. That way the "Firefox U2F Soft Token" attestation cert can be tested as being replaced by the "Firefox Web Authentication Anonymized Authenticator" (or whatever) certificate. See the test in https://reviewboard.mozilla.org/r/215002/diff/2#index_header
|
||
Comment 5•7 years ago
|
||
|
Assignee | |
Updated•7 years ago
|
Summary: Web Authentication - Support replacing device certificates with "Self Attestation" certificates → Web Authentication - Default to "None Attestation"
|
|
||
Updated•7 years ago
|
Attachment #8949346 -
Attachment is obsolete: true
|
|
||
Comment 6•7 years ago
|
||
|
|
||
Comment 7•7 years ago
|
||
Comment on attachment 8949694 [details]
Bug 1416056 - Web Authentication - Default to "None Attestation" r=jcj
J.C. Jones [:jcj] has approved the revision.
https://phabricator.services.mozilla.com/D567
Attachment #8949694 -
Flags: review+
Pushed by ttaubert@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a40174c2bf2c
Web Authentication - Default to "None Attestation" r=jcj
|
||
Comment 9•7 years ago
|
||
| bugherder | ||
|
||
Updated•7 years ago
|
status-firefox58:
affected → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•