W3C home > Mailing lists > Public > public-webauthn@w3.org > June 2022

Re: [webauthn] Which "pubKeyCredParams" to use? (#1757)

From: Arnaud Dagnelies via GitHub <sysbot+gh@w3.org>
Date: Wed, 29 Jun 2022 08:14:01 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1169671816-1656490439-sysbot+gh@w3.org>
Well, I asked since it's not written in the specs which algorithms you should support as an RP. Currently the specs says "the signing algo could be anything, good luck!" Which is IMHO not ideal. 

> And for anyone interested: based on some extensive testing I did a few months back of in-the-wild authenticators, most everything I tested **only** supported `-7` ("ES256"), with the exception of Windows Hello which was only `-257` ("RS256"). Only the YubiKey 5C, 5Ci, and Bio **also** supported Ed25519 (`-8`, "EdDSA").

Since apparently all authenticators use either of those three algorithms, it would at least make sense to hint it in the specs. 

One could question even further if the specs should constrain the usable signature algorithms to those three. In that case, the `pubKeyCredParams` could even be dropped/deprecated since it becomes useless. 
Just specifying that authenticators and RPs agree on a subset of crypto algorithms is enough to ensure compatibility. 

GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1169671816 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 29 June 2022 08:14:03 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:46 UTC