Re: [webauthn] Use fully-specified COSEAlgorithmIdentifiers in examples and recommendations (#2283)

@akshayku Ok, but I don't understand what part of this PR would mean more work for any implementations? We are not replacing the old IDs, only adding the new ones to the set of recommended arguments.

- Current implementations - of authenticators, of clients and of RPs - that only support/request the old IDs will continue to work with the old identifiers.
- New implementations that support/request both IDs will work with both.
- New RP implementations that request only the new IDs will not work with current authenticator implementations that only support the old IDs, so they are incentivized to also request the old IDs.
  - Consequently, existing authenticator implementations do not need to update (even in new versions) and can continue supporting only the old IDs if they wish.
- New authenticator implementations that support only the new IDs will not work with current RP implementations that only request the old IDs, so they are incentivized to also support the old IDs.
  - Consequently, existing RP implementations do not need to update (even in new versions) and can continue requesting only the old IDs if they wish.

So I agree, we're not going to realistically _eliminate_ the old IDs short of a complete ecosystem-wide migration to PQC/etc. But eliminating the old IDs was never a goal either, so I don't see how that is a problem?

Note also that the new IDs will be available for RPs to request and for authenticators to implement _regardless_ of whether we make any change to WebAuthn. The `COSEAlgorithmIdentifier`s are registered, and WebAuthn L1 and L2 allow any `COSEAlgorithmIdentifier` to be used. WebAuthn L3 will too unless we explicitly forbid these specific values ([which would in my opinion be worse](https://github.com/w3c/webauthn/pull/2283#discussion_r2079594682)). All this PR does is inform RPs of this new reality: that for maximum compatibility they should request both the old and new IDs (well ok, it does also carry the format restriction on from `ES*` to `ESP*`, but that is not what introduces the new alg IDs).


-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2283#issuecomment-2894298964 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 20 May 2025 12:53:54 UTC