[webauthn] Key types and algorithms are confusing from balfanz via GitHub on 2017-09-08 (public-webauthn@w3.org from September 2017)

From: balfanz via GitHub <sysbot+gh@w3.org>
Date: Fri, 08 Sep 2017 16:45:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-256310973-1504889148-sysbot+gh@w3.org>

balfanz has just created a new issue for https://github.com/w3c/webauthn:

== Key types and algorithms are confusing ==
We use the [CoseAlgorithmIdentifier](https://github.com/w3c/webauthn/blob/14c2733ca6a4a9568e4c48fef1b870448818e811/index.bs#L1449) throughout the doc for different purposes: sometimes to denote a type of key, sometimes to denote a signature algorithm.

For example, when [describing an attestation statement](https://github.com/w3c/webauthn/blob/14c2733ca6a4a9568e4c48fef1b870448818e811/index.bs#L2317), we use it to describe the algorithm used to generate the attestation signature. When generating new keys, we use it to [specify the type of keys](https://github.com/w3c/webauthn/blob/14c2733ca6a4a9568e4c48fef1b870448818e811/index.bs#L1082) the caller wants to generate.

There are two problems with the latter use of CoseAlgorithmIdentifier:

1. It appears to limit the use of a key to a specific signature algorithm. We shouldn't do that.

2. It underspecifies the key, for example by not mentioning the elliptic curve being used, or the size of the RSA exponent. 

We should fix this. Let's mention key types where key types are required, and signature algorithms where signature algorithms are required. I would also recommend that we use web-friendly nomenclature in parameters (i.e., [JWA names](https://tools.ietf.org/html/rfc7518)), and COSE-based "names" (integers) only in binary encodings (like attestation statements, authenticator data, etc.)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/547 using your GitHub account

Received on Friday, 8 September 2017 16:45:51 UTC