webauthn-minimal
specifications
webauthn-minimal | specifications | |
---|---|---|
1 | 2 | |
3 | 148 | |
- | 0.7% | |
0.0 | 5.2 | |
over 1 year ago | 14 days ago | |
Go | ||
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
webauthn-minimal
-
You shouldn't have your crypto designed by a CEO
FWIW if you don't care about attestation, Webauthn-L2 has client-side helper functions like getPublicKey() that allow you to do the handshake without parsing any CBOR https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy
If you want to check attestation you still need to parse CBOR (and whatever attestation format is inside.)
I used this for a minimal webauthn implementation which is under 300 LoC https://github.com/arianvp/webauthn-minimal (WIP)
However only Chrome seems to implement the L2 spec so far. It feels like Webauthn is basically abandoned on Mozilla side of things as they still haven't finished implementing L1 (It's missing all the CTAP2 stuff) whilst it has been out for more than a year. And there have barely been any Webauthn-related commits in the past years.
But yeh; in general webauthn is a design-by-committee dumpster fire; unfortunately.
specifications
-
Signing Container with Notary and GitHub Actions on Azure
Notary is a CNCF project that provides a set of tools that help you sign, store, and verify OCI artifacts using OCI-conformant registries. Digitally signing artifacts is one of many steps you can take to secure your software supply chains and improve the security of your software.
-
You shouldn't have your crypto designed by a CEO
Author of the original medium post here. I had simply never heard of COSE at the time of writing this. There was no conspiracy to bury the spec.
There are a bunch of vague accusations that I'm trying to profit or rent seek off of one of the specs I did write about. I didn't create and I don't maintain any of those. I also wouldn't trust any crypto designed by myself.
The original context for writing this post was discussions around using JOSE in the context of signing container images [1]. I was against it and preferred something simpler.
https://github.com/notaryproject/notaryproject/pull/93
What are some alternatives?
frank_jwt - JSON Web Token implementation in Rust.
rekor - Software Supply Chain Transparency Log
pg-cbor - 🧬🐘 The Concise Binary Object Representation (CBOR) data format (RFC 7049) implemented in pure SQL.
pg-webauthn - 🔐🐘 PostgreSQL WebAuthn Server