Re: [webauthn] Specify the set of hash algorithms UAs can select between.

In general, it's useful to have a story re: algorithm agility, and that goes far beyond "just parameterize them".  That story needs to include specific instructions for what to do when a new, previously unknown algorithm appears and when no known algorithms appear.  Ideally, it would address downgrade attacks.  

[RFC7696]( (Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms) is relevant, though it's really not a great reference.  I'll see if I can find something better.

GitHub Notification of comment by samuelweiler
Please view or discuss this issue at using your GitHub account

Received on Friday, 19 May 2017 01:33:54 UTC