W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2017

Re: [webauthn] Specify the set of hash algorithms UAs can select between.

From: Samuel Weiler via GitHub <sysbot+gh@w3.org>
Date: Fri, 19 May 2017 01:33:47 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-302585036-1495157626-sysbot+gh@w3.org>
In general, it's useful to have a story re: algorithm agility, and that goes far beyond "just parameterize them".  That story needs to include specific instructions for what to do when a new, previously unknown algorithm appears and when no known algorithms appear.  Ideally, it would address downgrade attacks.  

[RFC7696](https://tools.ietf.org/html/rfc7696#section-2.4) (Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms) is relevant, though it's really not a great reference.  I'll see if I can find something better.

-- 
GitHub Notification of comment by samuelweiler
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/362#issuecomment-302585036 using your GitHub account
Received on Friday, 19 May 2017 01:33:54 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:26 UTC