Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"signature formats" section is underspecified #1441

Closed
equalsJeffH opened this issue Jun 15, 2020 · 3 comments · Fixed by #1488
Closed

"signature formats" section is underspecified #1441

equalsJeffH opened this issue Jun 15, 2020 · 3 comments · Fixed by #1488
Assignees
@ve7jtb @selfissued
Labels
stat:pr-open subtype:underspecifiedBehaviors type:editorial type:technical
Milestone
L2-WD-04 Final

Comments

@equalsJeffH
Copy link
Contributor

equalsJeffH commented Jun 15, 2020
edited

@arianvp noted in closed issue #1124 (here and here) that (edited somewhat):

6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
 does not specify what the format is for signature when it is not one of ES256, RS256, PS256.

The NOTE does mention that it is "recommended" that any new signature formats will directly correspond to the COSE signature field, but the NOTE is not normative.

Hence; the signature field seems underspecified to me currently and it's not clear to me as an implementor of a Relying Party how it should be interpreted from the standard alone.

[I've looked at] how other webauthn Relying Parties implement this; and indeed they use the COSE format for signatures for EdDSA; but when doing a clean-room implementation of the standard it's currently not possible to come to this conclusion, which might be problematic.]
@equalsJeffH equalsJeffH mentioned this issue Jun 15, 2020
Closed
@arianvp arianvp mentioned this issue Jun 17, 2020
Closed
@selfissued
Copy link
Contributor

The Signature Formats section https://w3c.github.io/webauthn/#sctn-signature-attestation-types already lists specific encodings for ES256, RS256, and PS256. We should add specific guidance for other supported formats, including EdDSA, ES256K, etc. What algorithms am I missing? We should leave the non-normative guidance for algorithms still TBD, but I don't think we should create normative requirements for signature formats that don't exist yet.

I believe that @ve7jtb has a related PR to add some of this already. Can someone add a link to that in this issue?

@nadalin
Copy link
Contributor

nadalin commented Jun 24, 2020

@ve7jtb to look at adding wording

@equalsJeffH
Copy link
Contributor Author

I think this issue can be moved to a milestone beyond WD-03.

@equalsJeffH equalsJeffH added the stat:puntable Issue or PR that is candidate to move to a later milestone label Jul 1, 2020
@nadalin nadalin removed the stat:puntable Issue or PR that is candidate to move to a later milestone label Jul 21, 2020
@equalsJeffH equalsJeffH mentioned this issue Sep 30, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ve7jtb ve7jtb

@selfissued selfissued

Labels
stat:pr-open subtype:underspecifiedBehaviors type:editorial type:technical
Projects
None yet
Milestone
L2-WD-04 Final
Development

Successfully merging a pull request may close this issue.

Clarify signature format for packed attestations et al w3c/webauthn
4 participants
@ve7jtb @equalsJeffH @selfissued @nadalin