Re: [webauthn] Unclear/underspecified signature formats (#1721)

> This section however doesn't specify what the "Sign" block of the signature does. Instead this can be found later in [6.5.5 Signature Formats for Packed Attestation](https://w3c.github.io/webauthn/#sctn-signature-attestation-types) …

I think that's mixing up assertion signatures and attestation signatures. The format of attestation signatures is specific to the attestation format, but the format of the assertion signature is determined by the signature algorithm used by the credential.

An RP specifies supported signature algorithms in [pubKeyCredParams](https://www.w3.org/TR/webauthn-2/#dom-publickeycredentialcreationoptions-pubkeycredparams) at creation time and learns the chosen algorithm via either [getPublicKeyAlgorithm](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-getpublickeyalgorithm) (if supported by the client) or else from parsing the [attestation object](https://www.w3.org/TR/webauthn-2/#dom-authenticatorattestationresponse-attestationobject).

Given the algorithm for a credential, the signature format is specified by [COSE](https://datatracker.ietf.org/doc/html/rfc8152) as WebAuthn uses [COSE identifiers](https://www.w3.org/TR/webauthn-2/#sctn-alg-identifier) for algorithms.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1721#issuecomment-1118928751 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Thursday, 5 May 2022 18:43:24 UTC