Recommend that RPs store the signature algorithm?

[subyraman]

Hello all! The spec indicates that during registration RPs should store the public key and credential ID. Later it says that during authentication the RP should verify that the authenticator produced a valid signature using the public key.

It seems to me like the RP should also store the signature algorithm (credentialPublicKey.alg) during registration in order to know how to properly verify assertion signatures for a given credential, since the algorithm is not provided in the PublicKeyCredential object received during authentication.

Does that seem correct?

[equalsJeffH]

well, the section you cite, 7.1. Registering a new credential, says (in pertinent part):

18. ... register the new credential with the account that was denoted in the options.user passed to create(), by associating it with the credentialId and credentialPublicKey ...

..and credentialPublicKey is a "COSE_Key-encoded" value and it "... MUST contain the optional "alg" parameter..." as well as the credential public key itself (and other stuff). See the examples in 6.3.1.1. Examples of credentialPublicKey Values encoded in COSE_Key format .

So I'm thinking we're good and we already effectively "store the signature algorithm (credentialPublicKey.alg)", yes?

If so then we can close this?

[emlun]

Thanks @subyraman for asking! I was just about to say the same thing as @equalsJeffH; I agree we can close this.

[subyraman]

Thanks for the fast clarification @emlun and @equalsJeffH! You both are correct, I was not thinking about the 'credentialPublicKey' as an object. Closing.