RE: Comments to WD-01 from Andreas.Wallner@infineon.com on 2016-09-15 (public-webauthn@w3.org from September 2016)

From: <Andreas.Wallner@infineon.com>
Date: Thu, 15 Sep 2016 08:56:11 +0000
To: <vijaybh@microsoft.com>, <yaron_sheffer@intuit.com>, <public-webauthn@w3.org>
Message-ID: <dff63da18cc348eca858f6f6a76d25d2@MUCSE610.infineon.com>

Hi,



Just a small comment to one of the points raised:

*       4.1.1 step #4: do we define any mandatory-to-implement algorithms or credential types? It's hard to get interoperability if we don't.

> I believe the goal was to wait for initial implementations, and then assess the state of algorithm support. Only one credential type is supported for now, so that one is okay.

I see a possible problem with this approach: When thinking e.g. about FIDO we are talking about authenticators that have a pretty hard time being very crypto-agile (because one e.g. can’t easily find a certified secure controller that supports very modern algorithms like SHA-3) and achieving high security (platform based on secure element). In the WD there is already a list of mandatory algorithms (server side) for the attestation, should we maybe do the same for the credential?

Andreas

Received on Friday, 16 September 2016 13:54:04 UTC