[Discussion] What order should COSEAlgorithms be in secure_algs and all_possible_algs?

[zacknewman]

While the example in RFC 9053 shows EdDSA curves as prioritized over ECDSA curves, it is not a formal recommendation let alone requirement. I cannot seem to find any RFC or other specification related to WebAuthn, CBOR, or JOSE that specifies what order of algorithms SHOULD/MUST be used yet.

WebAuthn Level 3 appears will have Ed25519, ES256, and RSA256; but that is not yet official.

I'd like to start a discussion around what should be the order of webauthn-rs-proto::cose::COSEAlgorithms in the returned alloc::vec::Vecs from COSEAlgorithm::secure_algs and COSEAlgorithm::all_possible_algs.

I believe—once my diff is merged—the order should follow this hypothetical spec if for no other reason forward compatibility. Even in the unlikely case the spec will not state what order algorithms should be preferred in, I still think the order should be as stated. Why?

• Most cryptographers would order those algorithms the same way by security; or at the very least, would not put Ed25519 after the other two (i.e., at worst, it's as good).
• Client authenticators will ignore any unsupported algorithms, so any argument that relies on the popularity of an algorithm is irrelevant.
• The order aligns with the order of best performance and inversely with the size of signatures.
• There is no NIST/NSA connection with Ed25519.