[webauthn] Remove ECDAA? (#1410) from Bart de Water via GitHub on 2020-04-28 (public-webauthn@w3.org from April 2020)

From: Bart de Water via GitHub <sysbot+gh@w3.org>
Date: Tue, 28 Apr 2020 20:53:22 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-608608597-1588107182-sysbot+gh@w3.org>

bdewater has just created a new issue for https://github.com/w3c/webauthn:

== Remove ECDAA? ==
I was wondering if anything had changed since the PIE blog from August 2018 ([Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)](https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet)), which also mentions nobody had implemented ECDAA yet so there was time to fix things. 

Unless something's happening in FIDO-land where mere mortals like me are not privy to, [FIDO ECDAA Algorithm from July 2018](https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-ecdaa-algorithm-v2.0-rd-20180702.html) predates the concerns raised in the blog post, so nothing seems addressed.

Unless I'm mistaken, "nobody implemented it" is still the case as well:
- I scanned the Chromium and Firefox sources and couldn't find support
- nothing in the MDS either
- the only public discussion seemed to have been https://github.com/w3c/webauthn/issues/1196 and nothing on the fido-dev mailing list

Given the recent removal of unimplemented extensions should ECDAA also be removed?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1410 using your GitHub account

Received on Tuesday, 28 April 2020 20:53:24 UTC