- From: Vijay Bharadwaj via GitHub <sysbot+gh@w3.org>
- Date: Wed, 02 Nov 2016 16:20:45 +0000
- To: public-webauthn@w3.org
The more I look at this the more I wonder if we're over-complicating things by keeping this homegrown identifier scheme. Building on what @equalsJeffH says in #123, it seems like there are currently four proposed ways of denoting algorithms currently floating around in the spec: 1. JWK identifier, in the current version of the packed attestation format for example - for RSA this captures padding mode and hashing algorithm. 2. WebCrypto algorithm type, in ScopedCredentialParameters. Can capture padding and hash depending on how specified. 3. This homegrown two-byte identifier. Captures neither padding nor hash. 4. The DER SubjectPublicKeyInfo @equalsJeffH suggested in a commit for #240. This captures padding but not hash. None of the above captures key length. This seems to be really messy. I wonder if we could just standardize on one - say JWK since it's most concise and informative? - and use that everywhere. Also, for the public key in the attestation, I wonder if we could just use a CBOR map of the JsonWebKey structure (using binary fields not DER encoding) and thus gain a lot of flexibility and future-proofing. -- GitHub Notification of comment by vijaybh Please view or discuss this issue at https://github.com/w3c/webauthn/issues/239#issuecomment-257916409 using your GitHub account
Received on Wednesday, 2 November 2016 16:20:51 UTC