The short answer is that you should set `pubKeyCredParams` to include all algorithms whose verification procedure you support. But that of course leaves the question of what's the minimal set of algorithms you should support. As @MasterKale points out, ES256 and RS256 is a good start. This is what [`pubKeyCredParams` defaults to](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams) if you don't specify it. CTAP1 (U2F) authenticators are hard-coded to only support ES256, and most CTAP2 devices support it too. So I'd recommend at least ES256 and RS256 as a baseline. Beyond that it's up to the RP how much effort to spend on supporting additional algorithms. If you use a library for signature verification, you should probably support everything supported by the library. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1169102503 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-configReceived on Tuesday, 28 June 2022 18:52:50 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC