Re: [webauthn] Specify the set of hash algorithms UAs can select between. from Samuel Weiler via GitHub on 2017-05-19 (public-webauthn@w3.org from May 2017)

From: Samuel Weiler via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 May 2017 01:33:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-302585036-1495157626-sysbot+gh@w3.org>

In general, it's useful to have a story re: algorithm agility, and that goes far beyond "just parameterize them".  That story needs to include specific instructions for what to do when a new, previously unknown algorithm appears and when no known algorithms appear.  Ideally, it would address downgrade attacks.  

[RFC7696](https://tools.ietf.org/html/rfc7696#section-2.4) (Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms) is relevant, though it's really not a great reference.  I'll see if I can find something better.

-- 
GitHub Notification of comment by samuelweiler
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/362#issuecomment-302585036 using your GitHub account

Received on Friday, 19 May 2017 01:33:54 UTC