I was wondering if anything had changed since the PIE blog from August 2018 (Security Concerns Surrounding WebAuthn: Don't Implement ECDAA (Yet)), which also mentions nobody had implemented ECDAA yet so there was time to fix things.
Unless something's happening in FIDO-land where mere mortals like me are not privy to, FIDO ECDAA Algorithm from July 2018 predates the concerns raised in the blog post, so nothing seems addressed.
Unless I'm mistaken, "nobody implemented it" is still the case as well:
Given the recent removal of unimplemented extensions should ECDAA also be removed?
I support removing the ECDAA algorithm.
Nothing has happened in the Fido2 working group.
I think it has been supported in UAF.
There was some theory that UAF authenticators could work through WebAuthn.
I have never really understood how that could work via a browser.
Perhaps you might manage to get it to work in a native APP using a direct connection to a Fido server.
I don't personally see a value to having it in the WebAuthn spec personally.
I'll also point out that this working already decided not to register a COSE algorithm identifier for ECDAA, so this is already unusable. (Compare this to the algorithm identifiers that we are registering in https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-05). We should finish removing ECDAA.
Mike points out that there is no COSE algorithm identifier registered for this so it is not usable anyway.
I have been asked by the WG to create a pull request to remove it.
Most helpful comment
Mike points out that there is no COSE algorithm identifier registered for this so it is not usable anyway.
I have been asked by the WG to create a pull request to remove it.