- From: =JeffH via GitHub <sysbot+gh@w3.org>
- Date: Thu, 23 Jan 2020 19:53:16 +0000
- To: public-webauthn@w3.org
wrt @emlun
> `getPublicKeyJwk()` should probably be `[SameObject] readonly attribute CryptoKey publicKey;` instead
hm, in looking at [`CryptoKey`](https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey) and [`Crypto`](https://developer.mozilla.org/en-US/docs/Web/API/Crypto) and [`Crypto.subtle`](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/Subtle), I'm not sure we'd want to necessarily do that because in having declared "none" attestation ostensibly the RP is implicitly declaring that they are not going to be doing attestation signature verification and only need the `publicKey` and associated data as user account metadata. In contrast, if we return a `CryptoKey` object, that implies use of that and the other WebCrypto interfaces' methods to do various crypto operations using the key, but the RP isn't ostensibly isn't going to be doing such with that `publicKey` (at least not in their client-side JS?).
Maybe just returning the `publicKey` as a [JWK](https://tools.ietf.org/html/rfc7517) "blob" is sufficient, otherwise, if returned as `CryptoKey` object then the RP will just call `publicKey.export("jwk")` anyway?
[ Also, I suspect we would need to look closely at the various involved specs to ascertain whether the various crypto algs (and parameters thereof) WebAuthn uses ([IANA-COSE-ALGS-REG](https://www.w3.org/TR/webauthn-2/#biblio-iana-cose-algs-reg)) and [JWK's](https://www.rfc-editor.org/rfc/rfc7518.html) and those that [WebCrypto](https://www.w3.org/TR/WebCryptoAPI/) supports are congruent. not a big task but necessary due diligence IIUC. ]
--
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1363#issuecomment-577846916 using your GitHub account
Received on Thursday, 23 January 2020 19:53:18 UTC