[webauthn] Recommend that RPs store the signature algorithm? from Suby Raman via GitHub on 2018-05-31 (public-webauthn@w3.org from May 2018)

From: Suby Raman via GitHub <sysbot+gh@w3.org>
Date: Thu, 31 May 2018 21:15:57 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-328300042-1527801356-sysbot+gh@w3.org>

subyraman has just created a new issue for https://github.com/w3c/webauthn:

== Recommend that RPs store the signature algorithm? ==
Hello all! The spec indicates that during registration RPs [should store the public key and credential ID](https://www.w3.org/TR/webauthn/#registering-a-new-credential). Later it says that during authentication the RP [should verify](https://www.w3.org/TR/webauthn/#verifying-assertion) that the authenticator produced a valid signature using the public key.

It seems to me like the RP should *also* store the signature algorithm (`credentialPublicKey.alg`) during registration in order to know how to properly verify assertion signatures, since the algorithm is not provided in the `PublicKeyCredential` object received during authentication.

Does that seem correct? 

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/926 using your GitHub account

Received on Thursday, 31 May 2018 21:16:02 UTC