Re: [webauthn] Which "pubKeyCredParams" to use? (#1757)

> I noticed that during `credentials.create(...)`, if the list does not contain what the authenticator can provide, the authenticator will not be included in the list of authenticators to choose from. For example, if you don't include `"alg":-257`, Windows Hello won't work.

Worth pointing out that in the windows Hello attestation, there is SHA1 used over the signatures which can be potentially a secuirity risk, so you need to check for the use of RS1 in some internal code paths and reject if found. 

> So ...are all common authenticators covered by RS256 and ES256? Or should you as an RP add some more to cover most authenticators? Which ones?

And ED25519 (EDDSA) is the other one. We have been running a compatibility tester as part of webauthn-rs and "in the wild" we have only seen RS256, ES256 and EDDSA ( '-8' ) . 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1757#issuecomment-1170615903 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 30 June 2022 00:19:02 UTC