- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Thu, 02 Jul 2020 16:00:59 +0000
- To: public-webauthn@w3.org
As noted, we decided to prohibit compressed points rather than explicitly support them. Uncompressed points are the norm so we can, at most, add to that baseline. Since there's no utility in saving a small number of bytes in this context, we've chosen to eliminate the option instead. (In practice, even if we technically required support for compressed points, support would be threadbare and they would not be practically usable anyway.) As for calling out point validation: there are lots of checks needed during signature validation and we don't want to reproduce every signature algorithm specification in WebAuthn. However, having skimmed over the two ECDSA references, I admit that point validation is not highlighted in them, so I'll put that in too. (Although, if an attacker can substitute a public key during registration, there are larger problems. So it's just to catch errors in the authenticator.) -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1447#issuecomment-653092969 using your GitHub account
Received on Thursday, 2 July 2020 16:01:01 UTC