W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Which "pubKeyCredParams" to use? (#1757)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 28 Jun 2022 18:52:48 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1169102503-1656442366-sysbot+gh@w3.org>
The short answer is that you should set `pubKeyCredParams` to include all algorithms whose verification procedure you support. But that of course leaves the question of what's the minimal set of algorithms you should support.

As @MasterKale points out, ES256 and RS256 is a good start. This is what [`pubKeyCredParams` defaults to](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams) if you don't specify it. CTAP1 (U2F) authenticators are hard-coded to only support ES256, and most CTAP2 devices support it too.

So I'd recommend at least ES256 and RS256 as a baseline. Beyond that it's up to the RP how much effort to spend on supporting additional algorithms. If you use a library for signature verification, you should probably support everything supported by the library.

GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1169102503 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 June 2022 18:52:50 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC