- From: Firstyear via GitHub <sysbot+gh@w3.org>
- Date: Wed, 05 May 2021 09:34:29 +0000
- To: public-webauthn@w3.org
> @Firstyear Are these enough different though? The hash is just some data to be signed. It's somewhat more constrained given the output format of the hash, but it's still variable data. It might actually be easier to implement general signature creation, for which a special case is signing a hash. There are security concerns about key-usage from webauthn for arbitrary data, so having the hash as an extension while still requiring the nonce/challenge would help make this an interface that "can not be held incorrectly". Additionally, some applications have cryptographic requirements to what signatures they will accept, which is why signatures vs verification should be seperate. -- GitHub Notification of comment by Firstyear Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-832551276 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 5 May 2021 09:34:31 UTC