[webauthn] Which "pubKeyCredParams" to use? (#1757) from Arnaud Dagnelies via GitHub on 2022-06-28 (public-webauthn@w3.org from June 2022)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Tue, 28 Jun 2022 16:15:05 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-1287584083-1656432902-sysbot+gh@w3.org>

dagnelies has just created a new issue for https://github.com/w3c/webauthn:

== Which "pubKeyCredParams" to use? ==
Hi,

I noticed that during `credentials.create(...)`, if the list does not contain what the authenticator can provide, the authenticator will not be included in the list of authenticators to choose from. For example, if you don't include `"alg":-257`, Windows Hello won't work.

Now, as a relying party this all sounds a bit like unknown mysteries. 

- the specification says "pick your algorithms" from a [huge list](https://www.iana.org/assignments/cose/cose.xhtml#algorithms)!
- no idea which algos the authenticators support
- no idea which algos you really have to support as an RP

In practice, using this list restricts your choice to a subset of authenticators available... if you manage to find out which algo is needed. Also, most RPs are not deeply knowledgeable about which crypto algorithms is better suited or not.

So ...are all common authenticators covered by RS256 and ES256? Or should you as an RP add some more to cover most authenticators? Which ones?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 28 June 2022 16:15:06 UTC