We wrote the specification COSE and JOSE Registrations for WebAuthn Algorithms to create and register COSE and JOSE algorithm and elliptic curve identifiers for algorithms used by WebAuthn and CTAP2 that didn’t yet exist. I’m happy to report that all these registrations are now complete and the specification has progressed to the RFC Editor. Thanks to the COSE working group for supporting this work.
Search for WebAuthn in the IANA COSE Registry and the IANA JOSE Registry to see the registrations. These are now stable and can be used by applications, both in the WebAuthn/FIDO2 space and for other application areas, including decentralized identity (where the
secp256k1 “bitcoin curve” is in widespread use).
The algorithms registered are:
RS256— RSASSA-PKCS1-v1_5 using SHA-256 — new for COSE
RS384— RSASSA-PKCS1-v1_5 using SHA-384 — new for COSE
RS512— RSASSA-PKCS1-v1_5 using SHA-512 — new for COSE
RS1— RSASSA-PKCS1-v1_5 using SHA-1 — new for COSE
ES256K— ECDSA using secp256k1 curve and SHA-256 — new for COSE and JOSE
The elliptic curves registered are:
secp256k1— SECG secp256k1 curve — new for COSE and JOSE