Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

> @Firstyear we only need to sign using asymmetric algorithms (ECDSA p256) a small piece of data. There is no verification needed. Also `nonces` are always present in the data to be signed, they are required to prevent replay attacks.

Webauthn allows ECDSA p256R1, ECDSA p384R1, ECDSA p521R1, RSA with a combination of hash and padding schemes, EdDSA, and probably more.

You don't know what algorithms an authenticator may have (but you can select authenticators at webauthn registration based on this). I think for your use case, you may find it unviable/unworkable given the focus of webauthn for authentication over production of arbitrary key signatures, and you may be better to investigate CTAP or other interactions directly (see openssh and how they use ctap for key storage). 


-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-833141051 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 6 May 2021 00:33:57 UTC