Webauthn: Remove ECDAA?

Created on 28 Apr 2020  路  4Comments  路  Source: w3c/webauthn

I was wondering if anything had changed since the PIE blog from August 2018 (Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)), which also mentions nobody had implemented ECDAA yet so there was time to fix things.

Unless something's happening in FIDO-land where mere mortals like me are not privy to, FIDO ECDAA Algorithm from July 2018 predates the concerns raised in the blog post, so nothing seems addressed.

Unless I'm mistaken, "nobody implemented it" is still the case as well:

  • I scanned the Chromium and Firefox sources and couldn't find support
  • nothing in the MDS either
  • the only public discussion seemed to have been https://github.com/w3c/webauthn/issues/1196 and nothing on the fido-dev mailing list

Given the recent removal of unimplemented extensions should ECDAA also be removed?

pr-open technical

Most helpful comment

Mike points out that there is no COSE algorithm identifier registered for this so it is not usable anyway.
I have been asked by the WG to create a pull request to remove it.

All 4 comments

I support removing the ECDAA algorithm.

Nothing has happened in the Fido2 working group.
I think it has been supported in UAF.
There was some theory that UAF authenticators could work through WebAuthn.
I have never really understood how that could work via a browser.
Perhaps you might manage to get it to work in a native APP using a direct connection to a Fido server.
I don't personally see a value to having it in the WebAuthn spec personally.

I'll also point out that this working already decided not to register a COSE algorithm identifier for ECDAA, so this is already unusable. (Compare this to the algorithm identifiers that we are registering in https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-05). We should finish removing ECDAA.

Mike points out that there is no COSE algorithm identifier registered for this so it is not usable anyway.
I have been asked by the WG to create a pull request to remove it.

Was this page helpful?
0 / 5 - 0 ratings