W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2019

[webauthn] Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) (#1196)

From: yanosz via GitHub <sysbot+gh@w3.org>
Date: Tue, 02 Apr 2019 14:45:22 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-428270949-1554216305-sysbot+gh@w3.org>
yanosz has just created a new issue for https://github.com/w3c/webauthn:

== Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) ==
Hello folks, 

researching webauthn and reading https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet I've few questions in my mind, I have not found an answer, yet. I hope, that this is an appropriate way to reach out:

* Is there any statement in the Webauthn-Community answering PIE's concerns regarding the cryptographic protocols? I know https://www.noknok.com/blog-post/nok-nok-labs-addresses-potential-webauthn-protocol-security-concerns/, but this doesn't address the cryptographic details
* From my impression, selecting certain algorithms can avoid PKCS1 v1.5 padding. The COSE-registry has a lot of different algorithms. I'm not that into the COSE's terminology, but some algorithms appear to be purely symmetric and cannot be used in conjunction with webauthn.
  * Is that correct?
  * https://webauthndemo.appspot.com/ supports -7, -35, -36,  -37, -38, -39, -257, -258, -259, including variants with PKCS 1 v1.5. Do you know there reasons? 1 - as required by https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#other is not among, them.
  * Is there a best-practice for algorithm-selection, when using webauthn in web apps? 

I'd be cool to find an answer to these questions. I'm still stumbling.

Thanks, in advance,
yanosz

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1196 using your GitHub account
Received on Tuesday, 2 April 2019 14:45:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:03 UTC