[webauthn] "signature formats" section is underspecified (#1441) from =JeffH via GitHub on 2020-06-15 (public-webauthn@w3.org from June 2020)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Mon, 15 Jun 2020 16:06:17 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-638970053-1592237176-sysbot+gh@w3.org>

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== "signature formats" section is underspecified ==
@arianvp noted in closed issue #1124 ([here](https://github.com/w3c/webauthn/issues/1124#issuecomment-644008314) and [here](https://github.com/w3c/webauthn/issues/1124#issuecomment-644011501)) that (edited somewhat):

[6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
](https://w3c.github.io/webauthn/#sctn-signature-attestation-types) does not specify what the _format_ is for `signature`   when it is not one of `ES256, RS256, PS256`.

The **NOTE** does mention that it is "recommended" that any new signature formats will directly correspond to the COSE signature field, but the NOTE is not normative.

Hence; the `signature` field seems underspecified to me currently and it's not clear to me as an implementor of a Relying Party how it should be interpreted from the standard alone.

[I've looked at] how other `webauthn` Relying Parties implement this; and indeed they use the COSE format for signatures for `EdDSA`; but when doing a clean-room implementation of the standard it's currently not possible to come to this conclusion, which might be problematic.



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1441 using your GitHub account

Received on Monday, 15 June 2020 16:07:18 UTC