webauthn icon indicating copy to clipboard operation
webauthn copied to clipboard

Published 20 hours ago verified publisher icon w3c

Make AuthenticatorAttestationResponseJSON.publicKeyAlgorithm a long

Open zacknewman opened this issue 9 months ago • 2 comments

COSEAlgorithmIdentifier is defined as a long, but AuthenticatorAttestationResponseJSON.publicKeyAlgorithm is a long long. While RPs are likely based on 64-bit platforms, it seems unnecessary to require 64-bit signed integers when a 32-bit signed integer is sufficient. What is the reason for this deviation? Is it based on "common" JSON libraries that model numbers as 64-bit signed integers?

zacknewman avatar May 01 '24 21:05 zacknewman

Thanks for pointing this out!

2024-05-15 WG call: AuthenticatorAttestationResponseJSON was added in the L3 drafts, so we can easily change AuthenticatorAttestationResponseJSON.publicKeyAlgorithm to type long (or COSEAlgorithmIdentifier) since L3 isn't formally released yet. AuthenticatorAttestationResponseJSON.publicKeyAlgorithm is also in output (covariant) position, so changing its type to be more restrictive is even backwards compatible.

emlun avatar May 15 '24 20:05 emlun

I support this change. As discussed in last weeks' call, ff you look at the COSE algorithm registration rules, it's the numbers outside the 16-bit spaces that are clearly outliers. There's no hint of ever going beyond 32-bit identifiers.

selfissued avatar May 20 '24 06:05 selfissued