- From: Adam Powers via GitHub <sysbot+gh@w3.org>
- Date: Tue, 14 Feb 2017 21:23:03 +0000
- To: public-webauthn@w3.org
The latest spec does seem to have language about what's expected algorithmically, such as [verifying an assertion](https://w3c.github.io/webauthn/#verifying-assertion) and [verifying attestation](https://w3c.github.io/webauthn/#packed-attestation). (Although not validating an [attestation statment](https://w3c.github.io/webauthn/#attestation-formats)). This seems to be comparable to what was noted as `Section 4.3.3` above. The former language of `Section 4.3.1` and `Section 4.3.2.1.2` specified what crypto and attestation formats a server would need to support. This becomes a interoperability issue. For example, if authenticators implement either ECDSA or RSA and servers support either ECDSA or RSA there is some set of servers and authenticators that simply will not work together because they don't support the same cipher suites. It would be nice if W3C made some recommendations to get ahead of interoperability issues. -- GitHub Notification of comment by apowers313 Please view or discuss this issue at https://github.com/w3c/webauthn/issues/88#issuecomment-279840117 using your GitHub account
Received on Tuesday, 14 February 2017 21:23:09 UTC