W3C home > Mailing lists > Public > public-webauthn@w3.org > October 2016

[webauthn] explicitly denote RSA signature scheme

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 27 Oct 2016 18:39:59 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-185748031-1477593596-sysbot+gh@w3.org>
equalsJeffH has just created a new issue for 
https://github.com/w3c/webauthn:

== explicitly denote RSA signature scheme  ==
in the table in {#generating-an-attestation-statement}, the "Public 
key algorithm and encoding" row says in part:
```
  2. 0x0102. Raw encoded RSA PKCS1 or RSASSA-PSS public key...
```
Which seems to be saying: given a value of `0x0102` for "Public key 
algorithm and encoding", the conveyed credential public key is of type
 RSA, and the signature alg employed (for "authentication signatures")
 is either of type RSASSA-PKCS1-v1_5 or RSASSA-PSS. 

However, should not the RP validating an authentication signature with
 an RSA public key know beforehand with signature alg 
(RSASSA-PKCS1-v1_5 or RSASSA-PSS) was employed?  

Or, is there some standardized means to determine by inspection of a 
RSA signature value which algorithm was employed in generating the 
signature value?

If not, then we need to allocate two values for RSA "Public key 
algorithm and encoding" rather than just one, e.g.:
```
  2. 0x0102. RSA public key; signature algorithm: RSASSA-PSS with 
SHA-256 hash.
  3. 0x0104. RSA public key, signature algorithm: RSASSA-PKCS1-v1_5 
with SHA-256 hash.
```
( wrt these hex values: see also 
https://lists.w3.org/Archives/Public/public-webauthn/2016Oct/0110.html
 ;
wrt other related aspects of this, see: PR #235 & issue #94, as well 
as #238 , #233 , #123 ) 

Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/239 using your GitHub account
Received on Thursday, 27 October 2016 18:40:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:23 UTC