- From: yanosz via GitHub <sysbot+gh@w3.org>
- Date: Tue, 02 Apr 2019 14:45:22 +0000
- To: public-webauthn@w3.org
yanosz has just created a new issue for https://github.com/w3c/webauthn: == Q: Regarding Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet) == Hello folks, researching webauthn and reading https://paragonie.com/blog/2018/08/security-concerns-surrounding-webauthn-don-t-implement-ecdaa-yet I've few questions in my mind, I have not found an answer, yet. I hope, that this is an appropriate way to reach out: * Is there any statement in the Webauthn-Community answering PIE's concerns regarding the cryptographic protocols? I know https://www.noknok.com/blog-post/nok-nok-labs-addresses-potential-webauthn-protocol-security-concerns/, but this doesn't address the cryptographic details * From my impression, selecting certain algorithms can avoid PKCS1 v1.5 padding. The COSE-registry has a lot of different algorithms. I'm not that into the COSE's terminology, but some algorithms appear to be purely symmetric and cannot be used in conjunction with webauthn. * Is that correct? * https://webauthndemo.appspot.com/ supports -7, -35, -36, -37, -38, -39, -257, -258, -259, including variants with PKCS 1 v1.5. Do you know there reasons? 1 - as required by https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html#other is not among, them. * Is there a best-practice for algorithm-selection, when using webauthn in web apps? I'd be cool to find an answer to these questions. I'm still stumbling. Thanks, in advance, yanosz Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1196 using your GitHub account
Received on Tuesday, 2 April 2019 14:45:24 UTC