- From: Akshay Kumar via GitHub <sysbot+gh@w3.org>
- Date: Mon, 19 May 2025 16:08:46 +0000
- To: public-webauthn@w3.org
> If I understand correctly, the existing webauthn behavior is that in cases where an algorithm worked with multiple curves, webauthn chose a curve, and does not support all the curves for that algorithm, is that correct? Yes > Just for my own clarity are there any hardware devices out there that use -7 with a curve other than P-256? No. AFAIK from over the years. > In other words, does webauthn make use of the "feature" that -7 works with P-384 and P-521, or does it just ignore that possibility, and assume that -7 is always with P-256? (and my webauthn, I really mean devices that can't be updated, as opposed to the spec itself) We always assume that -7 is ECDSA with P-256. Similarly with others (-8, -35, -36). We have put below descriptions in the spec. > Keys with algorithm ES256 (-7) MUST specify P-256 (1) as the [crv](https://tools.ietf.org/html/rfc9053#name-double-coordinate-curves) parameter and MUST NOT use the compressed point form. >Keys with algorithm ES384 (-35) MUST specify P-384 (2) as the [crv](https://tools.ietf.org/html/rfc9053#name-double-coordinate-curves) parameter and MUST NOT use the compressed point form. >Keys with algorithm ES512 (-36) MUST specify P-521 (3) as the [crv](https://tools.ietf.org/html/rfc9053#name-double-coordinate-curves) parameter and MUST NOT use the compressed point form. >Keys with algorithm EdDSA (-8) MUST specify Ed25519 (6) as the [crv](https://tools.ietf.org/html/rfc9053#name-double-coordinate-curves) parameter. (These always use a compressed form in COSE.) -- GitHub Notification of comment by akshayku Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2283#issuecomment-2891567189 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 19 May 2025 16:08:47 UTC