<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Feb 22, 2017, at 5:52 AM, Jacob Greenfield <<a href="mailto:xales@naveria.com" class="">xales@naveria.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">I’m working on adding support to WebKit for FIDO U2F (JS API: <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html" class="">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html</a> Architecture overview: <a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html" class="">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-id-20160915.html</a> ). The FIDO U2F specification allows a secure second factor to be used during authentication flow, with bidirectional verification (token verifies server, server verifies token and token’s knowledge of a specific private key). There are current implementations in Chrome, Opera, and Blink (Firefox). I’m primarily interested in bringing support to Safari, so that is the focus what I am currently working on.<br class=""></div></div></blockquote><div><br class=""></div></div><div class="">Hi Jacob, and welcome to WebKit.</div><div class=""><br class=""></div><div class="">I went looking for how to use the feature in Chrome and Firefox (I assume you meant Gecko (Firefox), not Blink (Firefox)) I’m a little confused as to how this feature is exposed in the other browsers. On the topic of the low-level MessagePort API, section 3 states “This specification does not describe how such a port is made available to RP web pages, as this is (for now) implementation and browser dependent” (<a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#api-levels" class="">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#api-levels</a>). Similarly, for the high-level API, it states in section 3.2, “Implementations may choose how to make such an API available to RP web pages. If such an API is provided, it should provide a namespace object u2f of the following interface" (<a href="https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-javascript-api" class="">https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-javascript-api</a>).</div><div class=""><br class=""></div><div class="">Do you have insight into how either of these APIs are exposed in other browsers? How do you plan on exposing them in WebKit?</div><div class=""><br class=""></div><div class="">I should say, generally, I am concerned with APIs that leave important details like how the APIs are exposed to the implementation, as they lead to non-interoperable implementations. </div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">- Sam</div><div class=""><br class=""></div></body></html>