Re: [webauthn] Which "pubKeyCredParams" to use? (#1757)

Well, the question is what is better...

1. If the authenticator uses another algorithm than in the `pubKeyCredParams` list, it will simply not appear in the list in the browser pop up. For a user, it is basically like it does not exist and the RP does not know about it.
2. In the other case, if the RP receives an unknown algo, it can simply reply "Sorry, your device is not yet supported" and both the User and the RP know what's going on.

I personnally prefer to be informed and receive explicit errors rather than having the device simply not listed.

Moreover if the empty list is used with `pubKeyCredParams` it will be filled with defaults. Therefore, you might receive new unknown algos anyway. ...and this has already changed in the past rather discretely.

Lastly, I don't think signing algos evolve that quickly and this sounds like YAGNI. For instance, the JWT spec from 2015 still uses the same list of signing algos as today, and there is no change in sight AFAIK.

From a dev POV, it would also make sense if the JWT signing algos could be used, since broad support is already available in all programming languages. It's just nice to have RFCs share a same set of algos (ideally using the same names) instead of different subsets.

-- 
GitHub Notification of comment by dagnelies
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1169736512 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 29 June 2022 09:17:53 UTC