[webauthn] Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) (#1196)

yanosz has just created a new issue for https://github.com/w3c/webauthn:

== Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) ==
Hello folks, 

researching webauthn and reading https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet I've few questions in my mind, I have not found an answer, yet. I hope, that this is an appropriate way to reach out:

* Is there any statement in the Webauthn-Community answering PIE's concerns regarding the cryptographic protocols? I know https://www.noknok.com/blog-post/nok-nok-labs-addresses-potential-webauthn-protocol-security-concerns/, but this doesn't address the cryptographic details
* From my impression, selecting certain algorithms can avoid PKCS1 v1.5 padding. The COSE-registry has a lot of different algorithms. I'm not that into the COSE's terminology, but some algorithms appear to be purely symmetric and cannot be used in conjunction with webauthn.
  * Is that correct?
  * https://webauthndemo.appspot.com/ supports -7, -35, -36,  -37, -38, -39, -257, -258, -259, including variants with PKCS 1 v1.5. Do you know there reasons? 1 - as required by https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#other is not among, them.
  * Is there a best-practice for algorithm-selection, when using webauthn in web apps? 

I'd be cool to find an answer to these questions. I'm still stumbling.

Thanks, in advance,

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1196 using your GitHub account

Received on Tuesday, 2 April 2019 14:45:24 UTC