DPoP using Ed25519 keys?

[dmitrizagidulin]

Hi @panva! As always, thank you so much for your excellent libraries.

Would you object to the addition of Ed25519 key types to the allowed DPoP algorithms list for this library (it can be marked unofficial or beta or something)?
I know it's not currently a part of WebCrypto, but from what I understand there are rumours of Ed25519 keys being added to webcrypto soonish, and in any case, I have a use case that needs that key type. So I was wondering if you'd be open to PRs for it.

[panva]

If it's not part of Web Cryptography API I cannot possibly add it to a Browser-focused implementation where Web Cryptography API is the only available crypto runtime ;)

[dmitrizagidulin]

@panva K, no prob. I'll figure something out with a polyfill.

[panva]

It doesn't make sense IMO. The point of dpop in a browser environment is to use non-extractable keys stored in Indexed DB. If you're gonna use a proprietary EdDSA crypto runtime you won't make use of CryptoKey instances and your private key will be exportable.

Use ECDSA w/ P-256 for shorter proofs, or PS256 for faster AS/RS validation.

[panva]

As soon as EdDSA is added to web crypto i'll quickly add it, not a big deal, but atm there's nothing to add as there's not even a proposal yet.

[dmitrizagidulin]

@panva sure, you're right. The reason for the ask is, one, I do want to use dpop for server-to-server (non-browser) use cases. And two, I genuinely don't think that the non-extractable feature of IndexedDB provides sufficient protection (from regular extractable keys). Because if you have a compromised / XSS'd web page, the attacker can use the non-extractable key anyways. So, it's not that much more secure.

[panva]

And what makes EdDSA using proprietary crypto runtime better in that regard? Using non extractable keys at least removes an offline attack possibility (in combination with server side nonces added in the next DPoP draft).

[dmitrizagidulin]

@panva I know, it's a lot less convenient than the built in WebCrypto key types.
(The use case is for a short elliptic curve key type, but for audiences who have concerns about / are reluctant to use P-256 etc curves.)