New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unclear whether compressed curve points need to be supported by RPs #1447
Comments
I would also be interested if anybody could shed some light how a simple formula like:
has IPR issues as I couldn't find any reference to it in the RFC. After some browsing I found https://patents.google.com/patent/US6130946A/en which is expired. Not supporting compressed points and not recommending them will lead to many implementation mistakes where people miss a I see that ECDAA was recently removed from Webauthn #1410 I would suggest two things going forward:
|
IPR is Intellectual property rights I agree with making it clear that people need to validate uncompressed points. |
on 2020-07-01 call: @agl proposes we add a note to L2 webauthn spec to ban compressed points. arguably it is a spec bug in that we are not as precise as we ought to be. |
Lets also add language that you need to explicitly validate any public key to make sure it's on the curve to stop invalid curve attacks |
As noted, we decided to prohibit compressed points rather than explicitly support them. Uncompressed points are the norm so we can, at most, add to that baseline. Since there's no utility in saving a small number of bytes in this context, we've chosen to eliminate the option instead. (In practice, even if we technically required support for compressed points, support would be threadbare and they would not be practically usable anyway.) As for calling out point validation: there are lots of checks needed during signature validation and we don't want to reproduce every signature algorithm specification in WebAuthn. However, having skimmed over the two ECDSA references, I admit that point validation is not highlighted in them, so I'll put that in too. (Although, if an attacker can substitute a public key during registration, there are larger problems. So it's just to catch errors in the authenticator.) |
COSE_Key supports storing compressed points (https://tools.ietf.org/html/rfc8152#section-13.1.1):
if
y
is a boolean, consider it the sign ofx
, ify
is abstr
consider it an uncompressed point.However it's not clear for my from the Webauthn spec if compressed points need to be supported.
Especially https://w3c.github.io/webauthn/#sctn-public-key-easys says:
which suggests
kty = 2
always implies uncompressed points but this formulation is not normative and the COSE RFC says compressed points are not recommended due to IPR issues (what is IPR?) but that advise is also not normativeThe text was updated successfully, but these errors were encountered: