- From: philomathic_life via GitHub <sysbot+gh@w3.org>
- Date: Thu, 03 Apr 2025 16:54:56 +0000
- To: public-webauthn@w3.org
> this step will need to account for the fact that the new fully-specified alg IDs are effectively synonyms of the polymorphic ones in the context of a COSE_Key. > > Either that, or we require that authenticators use the same `alg` value in the COSE_Key as was chosen from `pubKeyCredParams`. I actually think the `alg` should be the same. RPs are required to pass the separate `COSEAlgorithmIdentifier`s IDs which seemingly suggests they are not "that equivalent"; otherwise it would be fine for an RP to pass just one. It seems weird for an RP to only pass the legacy `COSEAlgorithmIdentifier`—which is allowed per L3 since it's only a recommendation the new `COSEAlgorithmIdentifier` IDs are supported—but then receive an attested credential data payload that will be rejected since the RP does not support the new ID. No matter which `COSEAlgorithmIdentifier` (or both) an RP supports, parsing code will have to support such a value. An RP that supports both will pass both `COSEAlgorithmIdentifier`s at which point it seems borderline "malicious" for an authenticator to have had the option to choose the correct value from `pubKeyCredParams` but intentionally choose the different value. If only one `COSEAlgorithmIdentifier` was passed, then the RP only supports that `COSEAlgorithmIdentifier` so an authenticator can't use a different one since the RP would not know how to handle it. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2276#issuecomment-2776410519 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 3 April 2025 16:54:57 UTC