W3C home > Mailing lists > Public > public-webauthn@w3.org > May 2021

Re: [webauthn] PROPOSAL: Add support for general (hardware backed) cryptographic signatures and key exchange (#1608)

From: Daniel via GitHub <sysbot+gh@w3.org>
Date: Fri, 07 May 2021 13:28:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-834388461-1620394117-sysbot+gh@w3.org>
> > @Firstyear we only need to sign using asymmetric algorithms (ECDSA p256) a small piece of data. There is no verification needed. Also `nonces` are always present in the data to be signed, they are required to prevent replay attacks.
> 
> Webauthn allows ECDSA p256R1, ECDSA p384R1, ECDSA p521R1, RSA with a combination of hash and padding schemes, EdDSA, and probably more.
> 
> You don't know what algorithms an authenticator may have (but you can select authenticators at webauthn registration based on this). I think for your use case, you may find it unviable/unworkable given the focus of webauthn for authentication over production of arbitrary key signatures, and you may be better to investigate CTAP or other interactions directly (see openssh and how they use ctap for key storage).

@Firstyear ECDSA p256 was an example, p384, p512 can also be used, others too.
Webauthn has a `pubKeyCredParams` option with an `alg` param, which allows me to filter on what algorithm I want to use.



-- 
GitHub Notification of comment by cybercent
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1608#issuecomment-834388461 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 7 May 2021 13:28:40 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:43 UTC