Re: [webauthn] Exception handling in cryptoParameters processing needs to be clarified

Yes. To be more complete, the intention is:
- Algorithms need not be specified by the RP, if it is happy to deal 
with the default settings of clients and maybe break in unusual cases.
 So if no crypto parameters are specified, things should still just 
- However, if an RP specifies algorithms, then it clearly cares about 
which algorithms it gets. In this case the client should try not to 
return something that does not fit the RP's specified parameters.

So, when processing algorithms in the case that the RP has actually 
specified some:
- If normalizing an algorithm fails, just ignore it and go to the next
 one. There will be new algorithms over time so it is not that 
unlikely there will be an algorithm the client does not understand.
- If none of the algorithms could be normalized, then we have zero 
intersection between what the RP wants and the client can do. In this 
case we should fail. Otherwise, the client should just use one of the 
algorithms it understands.

Of course we still have issue #267 to clean up this text, but I'm sure
 the wording can be improved further. Any suggestions or pointers 
would be welcome.

GitHub Notification of comment by vijaybh
Please view or discuss this issue at 
using your GitHub account

Received on Monday, 6 March 2017 16:27:41 UTC