- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Thu, 27 Oct 2016 18:39:59 +0000
- To: public-webauthn@w3.org
equalsJeffH has just created a new issue for
https://github.com/w3c/webauthn:
== explicitly denote RSA signature scheme ==
in the table in {#generating-an-attestation-statement}, the "Public
key algorithm and encoding" row says in part:
```
2. 0x0102. Raw encoded RSA PKCS1 or RSASSA-PSS public key...
```
Which seems to be saying: given a value of `0x0102` for "Public key
algorithm and encoding", the conveyed credential public key is of type
RSA, and the signature alg employed (for "authentication signatures")
is either of type RSASSA-PKCS1-v1_5 or RSASSA-PSS.
However, should not the RP validating an authentication signature with
an RSA public key know beforehand with signature alg
(RSASSA-PKCS1-v1_5 or RSASSA-PSS) was employed?
Or, is there some standardized means to determine by inspection of a
RSA signature value which algorithm was employed in generating the
signature value?
If not, then we need to allocate two values for RSA "Public key
algorithm and encoding" rather than just one, e.g.:
```
2. 0x0102. RSA public key; signature algorithm: RSASSA-PSS with
SHA-256 hash.
3. 0x0104. RSA public key, signature algorithm: RSASSA-PKCS1-v1_5
with SHA-256 hash.
```
( wrt these hex values: see also
https://lists.w3.org/Archives/Public/public-webauthn/2016Oct/0110.html
;
wrt other related aspects of this, see: PR #235 & issue #94, as well
as #238 , #233 , #123 )
Please view or discuss this issue at
https://github.com/w3c/webauthn/issues/239 using your GitHub account
Received on Thursday, 27 October 2016 18:40:05 UTC