All, We reviewed draft-ietf-cose-webauthn-algorithms-01 and only have pair of comments about the security considerations.
Regarding section 5.3: While section 5.2 refers to RFC7518's guidance, currently 5.3 does not. Perhaps note in 5.3 something akin to "if you have an existing implementation, the exponent restrictions from RFC7518 also apply." Regarding section 5.4: The first sentence uses the FIPS186-3 form P-256 when everything else in this document would imply we'd refer to it as secp256r1, though rfc8152bis uses the P-256 form. Perhaps all readers of this document would be able to avoid confusion, but since it's a section _about_ confusion, it seems worth pointing out. Perhaps a parenthetical could be added? Kevin Jacobs and J.C. Jones _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
