Golang proposal: x/crypto/ssh: add support for "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm

Proposal Details

OpenSSH has support for a "webauthn-sk-ecdsa-sha2-nistp256@openssh.com" signature algorithm which was added here: https://github.com/openssh/openssh-portable/commit/bb52e70fa5330070ec9a23069c311d9e277bbd6f

The reasoning being that webauthn signatures have a different format to plain FIDO signatures.

I don't believe this is currently supported in x/crypto/ssh.

It would be useful to have this option for FIDO2 webauthn applications.

Comment From: ianlancetaylor

CC @golang/security

Comment From: arianvp

This would require an implementation of webauthn in the first place.

having a webauthn implementation in go standard library would be useful in general. Also for webservers not just ssh

Comment From: rolandshoemaker

I don't think we have any concrete plans, but I've been mulling the possibility of adding a webauthn package to the standard library. Having use cases like this is a good motivator.

Comment From: arianvp

I have an implementation internally that only relies on the standard library (and cuts some corners like not doing attestation) that I could try to turn into a start of a proposal. Would a new issue be a better avenue to share that?

Comment From: rolandshoemaker

Yes please, a new issue would be great. Thanks!

Comment From: arianvp

Done https://github.com/golang/go/issues/71095

Comment From: gopherbot

Change https://go.dev/cl/690755 mentions this issue: ssh: WIP add support for WebAuthn ECDSA-SK signature