"signature formats" section is underspecified

[equalsJeffH]

@arianvp noted in closed issue #1124 (here and here) that (edited somewhat):

6.5.5. Signature Formats for Packed Attestation, FIDO U2F Attestation, and Assertion Signatures
does not specify what the format is for signature when it is not one of ES256, RS256, PS256.

The NOTE does mention that it is "recommended" that any new signature formats will directly correspond to the COSE signature field, but the NOTE is not normative.

Hence; the signature field seems underspecified to me currently and it's not clear to me as an implementor of a Relying Party how it should be interpreted from the standard alone.

[I've looked at] how other webauthn Relying Parties implement this; and indeed they use the COSE format for signatures for EdDSA; but when doing a clean-room implementation of the standard it's currently not possible to come to this conclusion, which might be problematic.]

[selfissued]

The Signature Formats section https://w3c.github.io/webauthn/#sctn-signature-attestation-types already lists specific encodings for ES256, RS256, and PS256. We should add specific guidance for other supported formats, including EdDSA, ES256K, etc. What algorithms am I missing? We should leave the non-normative guidance for algorithms still TBD, but I don't think we should create normative requirements for signature formats that don't exist yet.

I believe that @ve7jtb has a related PR to add some of this already. Can someone add a link to that in this issue?

[nadalin]

@ve7jtb to look at adding wording

[equalsJeffH]

I think this issue can be moved to a milestone beyond WD-03.