- From: philomathic_life via GitHub <noreply@w3.org>
- Date: Thu, 02 Apr 2026 18:21:59 +0000
- To: public-webauthn@w3.org
I'd be happy to submit a PR to address this. I've recently added support for ML-DSA-87, ML-DSA-65, and ML-DSA-44 to my WebAuthn library; so I've already done the work of adding unit tests. I have a couple related questions: 1. Shouldn't we have examples of attested credentials whose attestation signature is based on the other algorithms? Currently all attested credentials use an ES256 key to generate the attestation signature. 2. Shouldn't the `extraData` that is sometimes generated be used as key in the `clientDataJSON` object and not as part of the value? I believe Chrome, for example, randomly generates a key sometimes to add to `clilentDataJSON` to prevent RPs from only expecting certain keys. I can see RPs potentially hard-coding `extraData` as a key whose value is simply ignored when the correct approach is to ignore all unexpected key-value pairs. -- GitHub Notification of comment by zacknewman Please view or discuss this issue at https://github.com/w3c/webauthn/issues/2393#issuecomment-4179641944 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 2 April 2026 18:22:01 UTC