Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ECDAA? #1410

Closed
bdewater opened this issue Apr 28, 2020 · 4 comments · Fixed by #1418
Closed

Remove ECDAA? #1410

bdewater opened this issue Apr 28, 2020 · 4 comments · Fixed by #1418
Assignees
@agl
Labels
stat:pr-open type:technical
Milestone
L2-WD-03 Feature ...

Comments

@bdewater
Copy link

I was wondering if anything had changed since the PIE blog from August 2018 (Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)), which also mentions nobody had implemented ECDAA yet so there was time to fix things.

Unless something's happening in FIDO-land where mere mortals like me are not privy to, FIDO ECDAA Algorithm from July 2018 predates the concerns raised in the blog post, so nothing seems addressed.

Unless I'm mistaken, "nobody implemented it" is still the case as well:

Given the recent removal of unimplemented extensions should ECDAA also be removed?
@selfissued
Copy link
Contributor

I support removing the ECDAA algorithm.

@ve7jtb
Copy link
Contributor

ve7jtb commented Apr 28, 2020

Nothing has happened in the Fido2 working group.
I think it has been supported in UAF.
There was some theory that UAF authenticators could work through WebAuthn.
I have never really understood how that could work via a browser.
Perhaps you might manage to get it to work in a native APP using a direct connection to a Fido server.
I don't personally see a value to having it in the WebAuthn spec personally.

@nadalin nadalin added this to the L2-WD-03 milestone Apr 29, 2020
@selfissued
Copy link
Contributor

I'll also point out that this working already decided not to register a COSE algorithm identifier for ECDAA, so this is already unusable. (Compare this to the algorithm identifiers that we are registering in https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-05). We should finish removing ECDAA.

@ve7jtb
Copy link
Contributor

ve7jtb commented Apr 29, 2020

Mike points out that there is no COSE algorithm identifier registered for this so it is not usable anyway.
I have been asked by the WG to create a pull request to remove it.

@nadalin nadalin assigned agl and unassigned ve7jtb May 20, 2020
agl added a commit to agl/webauthn that referenced this issue May 20, 2020
@agl
Remove mentions of ECDAA.
62d49db 
Fixes w3c#1410
@agl agl mentioned this issue May 20, 2020
Merged
@ynojima ynojima mentioned this issue May 20, 2020
Closed
MasterKale added a commit to MasterKale/SimpleWebAuthn that referenced this issue May 23, 2020
@MasterKale
Remove support for ECDAA
a6c1aaf 
See w3c/webauthn#1410
equalsJeffH pushed a commit that referenced this issue May 27, 2020
@agl
Remove mentions of ECDAA. (#1418)
0881ded 
* Remove mentions of ECDAA.

Fixes #1410

* Remove some other references.

(I forgot to search for “ecdaa” in lowercase.)
bdewater added a commit to bdewater/webauthn-ruby that referenced this issue May 28, 2020
@bdewater
Remove ECDAA as it's being removed from WebAuthn level 2
0e303a7 
It was never implemented by browser vendors or authenticator manufacturers, see w3c/webauthn#1410
@bdewater bdewater mentioned this issue May 28, 2020
Merged
bdewater added a commit to bdewater/webauthn-ruby that referenced this issue May 28, 2020
@bdewater
refactor: remove ECDAA as it's being removed from WebAuthn level 2
4d7a66e 
It was never implemented by browser vendors or authenticator manufacturers, see w3c/webauthn#1410
bdewater added a commit to bdewater/webauthn-ruby that referenced this issue May 28, 2020
@bdewater
refactor: remove ECDAA as it's being removed from WebAuthn level 2
b76d257 
It was never implemented by browser vendors or authenticator manufacturers, see w3c/webauthn#1410
@arianvp arianvp mentioned this issue Jun 28, 2020
Closed
@Spomky Spomky mentioned this issue Sep 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agl agl

Labels
stat:pr-open type:technical
Projects
None yet
Milestone
L2-WD-03 Feature Complete
Development

Successfully merging a pull request may close this issue.

Remove mentions of ECDAA. agl/webauthn
5 participants
@agl @ve7jtb @bdewater @selfissued @nadalin