[webauthn] "signature formats" section is underspecified (#1441)

equalsJeffH has just created a new issue for https://github.com/w3c/webauthn:

== "signature formats" section is underspecified ==
@arianvp noted in closed issue #1124 ([here](https://github.com/w3c/webauthn/issues/1124#issuecomment-644008314) and [here](https://github.com/w3c/webauthn/issues/1124#issuecomment-644011501)) that (edited somewhat):

[6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
](https://w3c.github.io/webauthn/#sctn-signature-attestation-types) does not specify what the _format_ is for `signature`   when it is not one of `ES256, RS256, PS256`.

The **NOTE** does mention that it is "recommended" that any new signature formats will directly correspond to the COSE signature field, but the NOTE is not normative.

Hence; the `signature` field seems underspecified to me currently and it's not clear to me as an implementor of a Relying Party how it should be interpreted from the standard alone.

[I've looked at] how other `webauthn` Relying Parties implement this; and indeed they use the COSE format for signatures for `EdDSA`; but when doing a clean-room implementation of the standard it's currently not possible to come to this conclusion, which might be problematic.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1441 using your GitHub account

Received on Monday, 15 June 2020 16:07:18 UTC