webauthn-minimal VS specifications

FWIW if you don't care about attestation, Webauthn-L2 has client-side helper functions like getPublicKey() that allow you to do the handshake without parsing any CBOR https://www.w3.org/TR/webauthn-2/#sctn-public-key-easy

If you want to check attestation you still need to parse CBOR (and whatever attestation format is inside.)

I used this for a minimal webauthn implementation which is under 300 LoC https://github.com/arianvp/webauthn-minimal (WIP)

However only Chrome seems to implement the L2 spec so far. It feels like Webauthn is basically abandoned on Mozilla side of things as they still haven't finished implementing L1 (It's missing all the CTAP2 stuff) whilst it has been out for more than a year. And there have barely been any Webauthn-related commits in the past years.

But yeh; in general webauthn is a design-by-committee dumpster fire; unfortunately.

Notary is a CNCF project that provides a set of tools that help you sign, store, and verify OCI artifacts using OCI-conformant registries. Digitally signing artifacts is one of many steps you can take to secure your software supply chains and improve the security of your software.

Author of the original medium post here. I had simply never heard of COSE at the time of writing this. There was no conspiracy to bury the spec.

There are a bunch of vague accusations that I'm trying to profit or rent seek off of one of the specs I did write about. I didn't create and I don't maintain any of those. I also wouldn't trust any crypto designed by myself.

The original context for writing this post was discussions around using JOSE in the context of signing container images [1]. I was against it and preferred something simpler.

https://github.com/notaryproject/notaryproject/pull/93