- From: Arian van Putten via GitHub <sysbot+gh@w3.org>
- Date: Sat, 27 Jun 2020 23:20:18 +0000
- To: public-webauthn@w3.org
arianvp has just created a new issue for https://github.com/w3c/webauthn: == PublicKeyCredentialParameters can't select curve (E.g. ed448) == [PublicKeyCredentialParameters](https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialparameters) Currently only allows you to choose the signature algorithm to use; but not which curve. COSE standard suggests that ES256 should imply P-256, ES384 P-384 etc but this is only a _suggestion_. From https://tools.ietf.org/html/rfc8152 > In order to promote interoperability, it is suggested that SHA-256 be used only with curve P-256, SHA-384 be used only with curve P-384, and SHA-512 be used with curve P-521. This is aligned with the recommendation in Section 4 of [RFC5480]. The current Webauthn draft removes this ambiguity using the following text: > Keys with algorithm ES256 (-7) MUST specify P-256 (1) as the crv parameter. > Keys with algorithm ES384 (-35) MUST specify P-384 (2) as the crv parameter. > Keys with algorithm ES512 (-36) MUST specify P-521 (3) as the crv parameter. > Keys with algorithm EdDSA (-8) MUST specify Ed25519 (6) as the crv parameter. Though this makes sense for the first three, (as it is "suggested" by RFC8512) it doesn't make a lot of sense for EdDSA where buth Ed25519 and Ed448 are good choices. Now it is impossible to ask for an Ed448 curve using the Webauthn API. Suggestion: Add a field `crv` to the `PublicKeyCredentialParameters` object corresponding to `crv` in COSE. Such that `PublicKeyCredentialParameters` actually uniquely defines a public key type without needing extra restrictive text in the standard Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1446 using your GitHub account
Received on Saturday, 27 June 2020 23:20:20 UTC