Make small-order checks in EdDSA optional? #423
Description
The current spec says:
- If the key data of key represents an invalid point or a small-order element on the Elliptic Curve of Ed25519, return
false.
However, implementations don't consistently perform this check: https://wpt.fyi/results/WebCryptoAPI/sign_verify/eddsa_small_order_points.https.any.html?run_id=6218645916352512&run_id=4841029519015936&run_id=5149644930940928&run_id=5118414478901248
So, we may want to make it optional.
This is a copy of WICG/webcrypto-secure-curves#27, to keep track of that issue after we archive WICG/webcrypto-secure-curves.