[webauthn] Unclear whether compressed curve points need to be supported by RPs (#1447) from Arian van Putten via GitHub on 2020-06-28 (public-webauthn@w3.org from June 2020)

From: Arian van Putten via GitHub <sysbot+gh@w3.org>
Date: Sun, 28 Jun 2020 11:12:40 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-646896374-1593342759-sysbot+gh@w3.org>

arianvp has just created a new issue for https://github.com/w3c/webauthn:

== Unclear whether compressed curve points need to be supported by RPs ==
COSE_Key   supports storing compressed points (https://tools.ietf.org/html/rfc8152#section-13.1.1):

if `y` is a boolean, consider it the sign of `x`,  if `y` is a `bstr` consider it an uncompressed point.

However it's not clear for my from the Webauthn spec if  compressed points need to be supported.
Especially  https://w3c.github.io/webauthn/#sctn-public-key-easys says:
> User agents MUST be able to return a non-null value for getPublicKey() when the credential public key has a COSEAlgorithmIdentifier value of:
>   -7 (ES256), where kty is 2 (uncompressed points) and crv is 1 (P-256).

which suggests `kty = 2` always implies uncompressed points but this formulation is not normative and the COSE RFC says compressed points are not recommended due to IPR issues (what is IPR?) but that advise is also not normative

>  The latter encoding has not been recommended in the IETF due to potential IPR issues. 



Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1447 using your GitHub account

Received on Sunday, 28 June 2020 11:12:41 UTC