-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
clarify content of algorithm member of ScopedCredentialParameters #113
Comments
The generation of keys based on the requested crypto parameters is currently specified as a "best effort" activity. From Section 4.1.1 makeCredential:
|
I believe you are misunderstanding the meaning of the prose you quote above. that prose in {#makeCredential} section is regarding the sequence of cryptoParameters passed into the makeCredential() promise. It is regarding (a) how the RP denotes the priority of the cryptoparameters it desires, and (b) how the platform selects which entry of the cryptoParameters sequence it honors. This is orthogonal to the theme of the original issue above. |
The words "desired" and "best effort" led me to believe that Returning to your question about how much detail an RP App should provide in specifying a credential, isn't this already addressed by the definition of PS - Hopefully it's obvious, but we may want to specify that the |
I do not think that is the case given how the spec is currently written 2b72ddf, specifically in section {#makeCredential}
yes, it seems that one could complete step 5 in {#makeCredential} having a zero-length
yes, that is understood, though it is tough (at least it was for me) to parse out of the WebCrypto spec and we may wish to include some sort of example or guidance in the WebAuthn spec. In any case, I believe the "algorithm member" language cited at the beginning of the issue merits polishing.
Agreed, I had noticed that also. Additionally they need to support key |
in https://w3c.github.io/webauthn/#credential-params, the statement..
ought to be something more akin to..
..and further refinement beyond that may be needed:
I.e., a question is just how much of gnarly key gneration params ought a RP webapp be supplying, and how much does the underlying client platform supply?
See https://www.w3.org/TR/WebCryptoAPI/#examples-section for an example of the full unabridged key gen params used to generate an RSA key pair. Perhaps the RP webapp could pass in only as much as it cares/needs to specify..
..on the makeCredential() method, and the underlying platform takes care of the other details (i.e., modulusLength, publicExponent, and hash), or it could pass in..
..or the complete algorithmIdentifier as shown in the webcrypto spec example..
The text was updated successfully, but these errors were encountered: