Here's demo which implements the basic part of the protocol, based on pow.xpi [1], rewritten in WebCrypto. "Computer" columns corresponds to the sidebar of about:debugging, which shows the available/connected devices. each device has "Connect", "Disconnect" buttons, and also "Forget A3" and "Alter A3" for debugging unexpected state. "Devices" columns shows each device's screen, which shows confirmation, PIN, and some messages. Most part of the protocol is implemented inside WiFiAuthClient.onConnect and WiFiAuthServer.connect, with comments for corresponding steps and some document, which are inside the first script which implements the protocol. the second script implements the UI/storage parts just for this demo. calculated parameters and transferred messages are shown in Web Console. The difference between the protocol and this implementation is: * this uses P-256, instead of P-192 (WebCrypto doesn't support P-192) * the calculation of (x, X, y, Y, Z) is done with WebCrypto's API (Elliptic-curve Diffie–Hellman), instead of raw operations written in the protocol * raw Y is sent instead of masked Y*, because I cannot find corresponding WebCrypto API (specifying non-default generator, creating ECDH public key from given private key) and also BigInt is not yet supported (bug 1366287). * added extra messages: * ServerHello for initiating the protocol from server-side, also telling protocol version and server's name * ServerMismatch/ClientMismatch/ServerMismatchReponse for PIN/A3 mismatch, to jump back to the top of the flow, keeping the same PIN or falling back to PIN from stored credential * ClientVerified for telling the client-side verification result to server, so that the server can start actual communication * ServerUnknownClient to fallback from stored cretendial to PIN, in case the server forget the client, to jump back to the top of the flow connection management, message passing, and device discovery are dummy implementations, to just to focus on the protocol. [1] https://github.com/franziskuskiefer/PoW/blob/master/web/pow.xpi

forgot to store CSS :P

> * raw Y is sent instead of masked Y*, because I cannot find corresponding > WebCrypto API (specifying non-default generator, creating ECDH public key > from given private key) and also BigInt is not yet supported (bug 1366287). to be clear, this is not guaranteed to be secure. I'll see if this step can be implemented in WebCrypto.

Moving major about:debugging ng work into milestone 1, leaving m0 for prior bugfix work.

From :birtles during triage: "If the NSS pieces are not in place in time, we might need to scope m4 to just getting the existing QR code piece working." (which is Bug 1478190)