W3C home > Mailing lists > Public > public-webauthn@w3.org > July 2020

Re: [webauthn] Unclear whether compressed curve points need to be supported by RPs (#1447)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Thu, 02 Jul 2020 16:00:59 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-653092969-1593705658-sysbot+gh@w3.org>
As noted, we decided to prohibit compressed points rather than explicitly support them. Uncompressed points are the norm so we can, at most, add to that baseline. Since there's no utility in saving a small number of bytes in this context, we've chosen to eliminate the option instead. (In practice, even if we technically required support for compressed points, support would be threadbare and they would not be practically usable anyway.)

As for calling out point validation: there are lots of checks needed during signature validation and we don't want to reproduce every signature algorithm specification in WebAuthn. However, having skimmed over the two ECDSA references, I admit that point validation is not highlighted in them, so I'll put that in too. (Although, if an attacker can substitute a public key during registration, there are larger problems. So it's just to catch errors in the authenticator.)

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1447#issuecomment-653092969 using your GitHub account
Received on Thursday, 2 July 2020 16:01:01 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 July 2020 16:01:01 UTC