Re: [webauthn] Spec should not mandate behavior of server

The latest spec does seem to have language about what's expected 
algorithmically, such as [verifying an 
assertion]( and 
(Although not validating an [attestation 
statment]( This 
seems to be comparable to what was noted as `Section 4.3.3` above.

The former language of `Section 4.3.1` and `Section` 
specified what crypto and attestation formats a server would need to 
support. This becomes a interoperability issue. For example, if 
authenticators implement either ECDSA or RSA and servers support 
either ECDSA or RSA there is some set of servers and authenticators 
that simply will not work together because they don't support the same
 cipher suites.

It would be nice if W3C made some recommendations to get ahead of 
interoperability issues.

GitHub Notification of comment by apowers313
Please view or discuss this issue at using
 your GitHub account

Received on Tuesday, 14 February 2017 21:23:09 UTC