- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Thu, 03 Apr 2025 08:34:19 +0000
- To: public-webauthn@w3.org
Indeed. [RFC 9053](https://www.rfc-editor.org/rfc/rfc9053.html#name-double-coordinate-curves) defines that
>For [elliptic curve] public keys, it is REQUIRED that "crv", "x", and "y" be present in the structure. [...]
and the new algorithm identifiers do not change this.
Note that it will be semantically valid for an authenticator to return a public key with `alg: -7 (ES256)` even when invoked with `pubKeyCredParams: [{ alg: -9 (ESP256), ... }]`. The key "matches" both the `-9` and `-7` algorithm identifiers, as you noted, because of the required `crv` field.
Hm, so we'll probably need to also update the RP ops to account for this:
>[**ยง7.1. Registering a New Credential**](https://w3c.github.io/webauthn/#sctn-registering-a-new-credential)
>[...]
>20. Verify that the "alg" parameter in the [credential public key](https://w3c.github.io/webauthn/#authdata-attestedcredentialdata-credentialpublickey) in authData matches the [alg](https://w3c.github.io/webauthn/#dom-publickeycredentialparameters-alg) attribute of one of the [items](https://infra.spec.whatwg.org/#list-item) in pkOptions.[pubKeyCredParams](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-pubkeycredparams).
this step will need to account for the fact that the new fully-specified alg IDs are effectively synonyms of the polymorphic ones in the context of a COSE_Key.
Either that, or we require that authenticators use the same `alg` value in the COSE_Key as was chosen from `pubKeyCredParams`.
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2276#issuecomment-2774892574 using your GitHub account
--
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 3 April 2025 08:34:20 UTC