Re: [webauthn] Which "pubKeyCredParams" to use? (#1757) from John Bradley on 2023-05-03 (public-webauthn@w3.org from May 2023)

From: John Bradley <jbradley@yubico.com>
Date: Wed, 3 May 2023 10:54:43 -0400
To: Matthew Miller via GitHub <sysbot+gh@w3.org>
Cc: public-webauthn@w3.org
Message-ID: <CAEY7Pj_b97xctWj44O_OaUKaz44QLJT02c=zEamYjvbwUojxQg@mail.gmail.com>

Those algorithms are required for Fido certification.   If you don’t care
about that then you can do as you like.   It is the CTAP specifications in
Fido that define the mandatory to implement algs for servers, not WebAuthn.

There are deployments that do require ED25519 where NIST curves are not
trusted.   If you don’t have customers with that requirement then there is
little use in implementing ED25519, as all of the authenticators supporting
that alg will also support P256.

RS256 is a bit different.  Win 10 and some versions of Win 11 only support
RS256 due to TPM 1.0 issues.  Yes that is part of the reason Win 11
requires TPM2.0.

If you don’t support RS256 windows platform authenticators that users
expect to work won’t creating a support nightmare.

If customers don’t have any Win 10 in there environment I guess you could
not implement RS256 but it would not be considered interoperable or
certifiable by Fido.

Authenticators shouldn’t implement RS256 any more,  however servers will
need to suppoet it for some time.

Regards
John B.

On Wed, May 3, 2023 at 10:37 AM Matthew Miller via GitHub <sysbot+gh@w3.org>
wrote:

> > We are makers of such a back-end system for banks, considering adding
> WebAuthn support and seeing close to zero benefits in implementing RS256
> and Ed25519 because these will be rarely used. Plus, we have an idea on how
> to build WebAuthn back-end in a more creative way to simplify enrollment to
> service providers, and we are reluctant to support RS256 there because of
> the "old Windows problem."
>
> This is starting to get into "product requirement" territory. If you
> decide you don't want to support RS256 or Ed25519 then that's your decision
> as the product owner. Your customers will ultimately decide whether that's
> viable long-term.
>
> However "supporting as many versions of Windows as possible" is likely to
> be a requirement for the majority of other projects. Therefore I'd suggest
> we keep the current guidance as-is because the spec should aim for maximum
> support of the API.
>
> --
> GitHub Notification of comment by MasterKale
> Please view or discuss this issue at
> https://github.com/w3c/webauthn/issues/1757#issuecomment-1533141299 using
> your GitHub account
>
>
> --
> Sent via github-notify-ml as configured in
> https://github.com/w3c/github-notify-ml-config
>
>

Received on Wednesday, 3 May 2023 14:55:01 UTC