- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 28 Jun 2022 18:52:48 +0000
- To: public-webauthn@w3.org
The short answer is that you should set `pubKeyCredParams` to include all algorithms whose verification procedure you support. But that of course leaves the question of what's the minimal set of algorithms you should support. As @MasterKale points out, ES256 and RS256 is a good start. This is what [`pubKeyCredParams` defaults to](https://www.w3.org/TR/2021/REC-webauthn-2-20210408/#ref-for-dom-publickeycredentialcreationoptions-pubkeycredparams) if you don't specify it. CTAP1 (U2F) authenticators are hard-coded to only support ES256, and most CTAP2 devices support it too. So I'd recommend at least ES256 and RS256 as a baseline. Beyond that it's up to the RP how much effort to spend on supporting additional algorithms. If you use a library for signature verification, you should probably support everything supported by the library. -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1169102503 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 28 June 2022 18:52:50 UTC