[webauthn] Lack of support for modern ECC (#1124) from Michał Staruch via GitHub on 2018-12-18 (public-webauthn@w3.org from December 2018)

From: Michał Staruch via GitHub <sysbot+gh@w3.org>
Date: Tue, 18 Dec 2018 11:05:21 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-392104822-1545131120-sysbot+gh@w3.org>

MichalStaruch has just created a new issue for https://github.com/w3c/webauthn:

== Lack of support for modern ECC ==
I'd like to know what's WG opinion about cryptography concerns related to WebAuthn, which were raised in [Paragon Initiative analysis](https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet), especially those related to WebAuthn vs modern ECC:
- no support for [EdDSA](https://tools.ietf.org/html/rfc8032) - which is considered superior to ECDSA, and already supported in [TLSv1.3](https://tools.ietf.org/html/rfc8446),
- no support for [Curve25519 and Curve448](https://tools.ietf.org/html/rfc7748) - both are considered superior to NIST curves, and are supported in [TLSv1.3](https://tools.ietf.org/html/rfc8446), too. It's also worth mentioning that Curve25519 is already implemented in every modern browser.

When developing new standard like WebAuthn related to security of wider Internet audience - one that might help shaping web browsers - it would reasonable to take into account work already done by IETF WGs.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1124 using your GitHub account

Received on Tuesday, 18 December 2018 11:05:27 UTC