- From: J.C. Jones <jc@mozilla.com>
- Date: Fri, 15 Jul 2016 13:48:10 -0700
- To: Vijay Bharadwaj <vijaybh@microsoft.com>
- Cc: W3C WebAuthn WG <public-webauthn@w3.org>
- Message-ID: <CAObDDPCuNjMPSBH1JL3N-mu5Zu4qxefTtL4Z93Pz_s-ia_jn3A@mail.gmail.com>
Vijay, This looks good to me (and I posted as such on the PR). Just for everyone's note, with this change we're defining SHA-256 as being a required algorithm for producing the digest of the RP ID for the lifetime of the spec. There's not an obvious clean way to provide crypto agility here without having compat issues. We should all be comfortable then with SHA2's collision resistance surviving for the life of the standard, or resign ourselves to compat issues moving credentials from one system to another. Cheers, J.C. On Thu, Jul 14, 2016 at 5:30 PM, Vijay Bharadwaj <vijaybh@microsoft.com> wrote: > Apologies, forgot to include the link: > https://github.com/w3c/webauthn/pull/144 > > > > > > *From:* Vijay Bharadwaj > *Sent:* Thursday, July 14, 2016 5:30 PM > *To:* W3C WebAuthn WG <public-webauthn@w3.org> > *Subject:* Please review: PR#144 on adding RP ID to signature format > > > > I mentioned this PR on the call yesterday – it adds the RP ID to the > signature format. Since the call, I’ve made another pass at the sections > and tightened up a few things in the wording. I also added the RP ID to the > ClientData since otherwise the RP has nothing to check the RP ID hash > against, and this is needed especially for makeCredential. > > > > Since I have been pushing commits to this over the course of the day, I > figured I’d let everyone know that I’m now done messing with it and it’s > ready for review. > > > > Please take a look at the PR and send feedback. Thanks! > > > > -- > > -Vijay >
Received on Friday, 15 July 2016 20:48:59 UTC