[webauthn] Update COSEAlgorithmIdentifier examples and recommendations to prefer fully-specified alg IDs (#2282)

• From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
• Date: Fri, 25 Apr 2025 14:26:55 +0000
• To: public-webauthn@w3.org
• Message-ID: <issues.opened-3020223511-1745591213-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Update COSEAlgorithmIdentifier examples and recommendations to prefer fully-specified alg IDs ==
This is broken out from issue #2276:

## Proposed Changes for WebAuthn L3

Update non-normative examples, and update recommendations for RP to prefer the new values. These are not yet implemented by clients and authenticators, but will gracefully fall back to the legacy values until implemented.

- [§1.3.1. Registration](https://w3c.github.io/webauthn/#sctn-sample-registration): change example from using -7 (ES256) to -9 (ESP256) and from -8 (EdDSA) to -50 (Ed25519)

- [`pubKeyCredParams`](https://w3c.github.io/webauthn/#dom-publickeycredentialcreationoptions-pubkeycredparams): update algoritms recommended to RPS:

  >[Relying Parties](https://w3c.github.io/webauthn/#relying-party) that wish to support a wide range of [authenticators](https://w3c.github.io/webauthn/#authenticator) SHOULD include at least the following [COSEAlgorithmIdentifier](https://w3c.github.io/webauthn/#typedefdef-cosealgorithmidentifier) values:
  >
  >- -8 (Ed25519)
  >- -7 (ES256)
  >- -257 (RS256)
  >
  >Additional signature algorithms can be included as needed.

- [§5.8.5. Cryptographic Algorithm Identifier (typedef `COSEAlgorithmIdentifier`)](https://w3c.github.io/webauthn/#sctn-alg-identifier): update examples:
  >A [COSEAlgorithmIdentifier](https://w3c.github.io/webauthn/#typedefdef-cosealgorithmidentifier)’s value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [[IANA-COSE-ALGS-REG]](https://w3c.github.io/webauthn/#biblio-iana-cose-algs-reg), for instance, -7 for "ES256" and -257 for "RS256".

- [§6.5.1.1. Examples of credentialPublicKey Values Encoded in COSE_Key Format](https://w3c.github.io/webauthn/#sctn-encoded-credPubKey-examples): add example(s) using fully-specified ID(s)

- [§6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures](https://w3c.github.io/webauthn/#sctn-signature-attestation-types): add -9 (ESP256) in addition to -7 (ES256)

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2282 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 25 April 2025 14:26:56 UTC