W3C home > Mailing lists > Public > public-webauthn@w3.org > February 2017

Re: [webauthn] Spec should not mandate behavior of server

From: Adam Powers via GitHub <sysbot+gh@w3.org>
Date: Tue, 14 Feb 2017 21:23:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-279840117-1487107381-sysbot+gh@w3.org>
The latest spec does seem to have language about what's expected 
algorithmically, such as [verifying an 
assertion](https://w3c.github.io/webauthn/#verifying-assertion) and 
[verifying 
attestation](https://w3c.github.io/webauthn/#packed-attestation). 
(Although not validating an [attestation 
statment](https://w3c.github.io/webauthn/#attestation-formats)). This 
seems to be comparable to what was noted as `Section 4.3.3` above.

The former language of `Section 4.3.1` and `Section 4.3.2.1.2` 
specified what crypto and attestation formats a server would need to 
support. This becomes a interoperability issue. For example, if 
authenticators implement either ECDSA or RSA and servers support 
either ECDSA or RSA there is some set of servers and authenticators 
that simply will not work together because they don't support the same
 cipher suites.

It would be nice if W3C made some recommendations to get ahead of 
interoperability issues.

-- 
GitHub Notification of comment by apowers313
Please view or discuss this issue at 
https://github.com/w3c/webauthn/issues/88#issuecomment-279840117 using
 your GitHub account
Received on Tuesday, 14 February 2017 21:23:09 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:58:33 UTC