Re: [webauthn] Mention fully-specified COSEAlgorithmIdentifiers in examples and recommendations (#2283) from Emil Lundberg via GitHub on 2025-05-21 (public-webauthn@w3.org from May 2025)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 21 May 2025 10:13:53 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-2897402939-1747822430-sysbot+gh@w3.org>

> I will say that removing the restriction for `ESP*` IDs to allow them to be encoded as octet-key pairs (OKPs) [...]

COSE does not allow encoding `ESP*` keys with the OKP type. ECDSA public keys are required to use the EC2 key type; see [RFC 9053 §7.1. Elliptic Curve Keys](https://www.rfc-editor.org/rfc/rfc9053.html#name-elliptic-curve-keys) and [RFC 9053 §2.1. ECDSA](https://www.rfc-editor.org/rfc/rfc9053.html#section-2.1):

>When using a COSE key for this algorithm , the following checks are made:
>- The "kty" field MUST be present, and it MUST be "EC2".
>[...]

Only Edwards curve keys (currently) are allowed (and indeed required) to use OKP, and yes, [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032.html) defines a single canonical encoding for EdDSA keys.

Rather, it's the EC2 key type that has two variants: compressed or uncompressed y coordinate.

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/2283#issuecomment-2897402939 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 21 May 2025 10:13:53 UTC