[webauthn] Confusion on COSEAlgorithmIdentifier standards (#1676)

wagner-robert has just created a new issue for https://github.com/w3c/webauthn:

== Confusion on COSEAlgorithmIdentifier standards ==
I noticed that Section 6.5.5 https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types mentions this RFC - RFC8017, but in reviewing https://www.iana.org/assignments/cose/cose.xhtml#algorithms these are all directed to RFC8812.  In RFC8812 these are identified by "Recommended: No"

    For COSEAlgorithmIdentifier -257 (RS256), sig MUST contain the signature generated using the RSASSA-PKCS1-v1_5 signature scheme defined in section 8.2.1 in [**RFC8017**] with SHA-256 as the hash function. The signature is not ASN.1 wrapped.

    For COSEAlgorithmIdentifier -37 (PS256), sig MUST contain the signature generated using the RSASSA-PSS signature scheme defined in section 8.1.1 in [**RFC8017**] with SHA-256 as the hash function. The signature is not ASN.1 wrapped.

I would like to see clarification on which RFC is correct and if these protocols or other protocols are really recommended for use or not.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1676 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 21 October 2021 16:12:21 UTC