[w3c/webauthn] 73fb44: Specify more about COSE algorithms. from Adam Langley on 2020-06-03 (public-webauthn@w3.org from June 2020)

From: Adam Langley <noreply@github.com>
Date: Wed, 03 Jun 2020 12:14:58 -0700
To: public-webauthn@w3.org
Message-ID: <w3c/webauthn/push/refs/heads/master/7f541a-b463fc@github.com>

  Branch: refs/heads/master
  Home:   https://github.com/w3c/webauthn

  Commit: 73fb44b5e37b0770ceb120a85488043cd653c4f7
      https://github.com/w3c/webauthn/commit/73fb44b5e37b0770ceb120a85488043cd653c4f7

  Author: Adam Langley <agl@imperialviolet.org>
  Date:   2020-05-24 (Sun, 24 May 2020)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Specify more about COSE algorithms.

[COSEAlgorithmIdentifiers](https://w3c.github.io/webauthn/#typedefdef-cosealgorithmidentifier) aren't very specific.

JOSE [defines](https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms) an algorithm called “ES256” as “ECDSA using P-256 and SHA-256” — which is fine. COSE [also defines](https://www.iana.org/assignments/cose/cose.xhtml#algorithms) an algorithm called “ES256”, except that the COSE version isn't specific to any curve! It's just ECDSA with SHA-256 hashing. COSE only [says](https://tools.ietf.org/html/rfc8152#section-8.1) that “in order to promote interoperability, it is suggested that SHA-256 be used only with curve P-256”. Technically, an authenticator could return a public key over some other curve, although I bet it breaks lots of RPs.

Similarly, COSE defines an algorithm for “EdDSA”, which is commonly interpreted to mean EdDSA with Ed25519. But, technically, it could also mean EdDSA with the much rarer X448.

I think people thought that they were getting JOSE-style precise algorithms with a COSE algorithm identifier, but that's not true. Thus this change nails down some standard assumptions that are (I believe) currently true in all cases anyway.

(See also fido-alliance/fido-2-specs#862.)


  Commit: 6513a003c289d8046483c590bd82469d2d397b3f
      https://github.com/w3c/webauthn/commit/6513a003c289d8046483c590bd82469d2d397b3f

  Author: Adam Langley <agl@google.com>
  Date:   2020-06-03 (Wed, 03 Jun 2020)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Spelling fix.

Co-authored-by: =JeffH <jdhodges@google.com>


  Commit: b463fc898a36d28b26b0d469352946e0fea21024
      https://github.com/w3c/webauthn/commit/b463fc898a36d28b26b0d469352946e0fea21024

  Author: Adam Langley <agl@google.com>
  Date:   2020-06-03 (Wed, 03 Jun 2020)

  Changed paths:
    M index.bs

  Log Message:
  -----------
  Merge pull request #1420 from agl/cosealg

Specify more about COSE algorithms.


Compare: https://github.com/w3c/webauthn/compare/7f541a26c796...b463fc898a36

Received on Wednesday, 3 June 2020 19:15:10 UTC