Reject invalid and small-order elements on signature verification

index.html

@@ -1867,6 +1867,19 @@ <h4>Operations</h4>
                 |key| is not {{KeyType/"public"}}, then [= exception/throw =] an {{InvalidAccessError}}.
               </p>
             </li>
+            <li>
+              <p>
+                If the key data of |key| represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed25519, [= exception/throw =] an {{OperationError}}.
+              </p>
+            </li>
+            <li>
+              <p>
+                If the point R, encoded in the first half of |signature|,
+                represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed25519, [= exception/throw =] an {{OperationError}}.
+              </p>
+            </li>
             <li>
               <p>
                 Perform the Ed25519 verification steps, as specified in [[RFC8032]],
@@ -2760,6 +2773,19 @@ <h4>Operations</h4>
                 then [= exception/throw =] an {{OperationError}}.
               </p>
             </li>
+            <li>
+              <p>
+                If the key data of |key| represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed448, [= exception/throw =] an {{OperationError}}.
+              </p>
+            </li>
+            <li>
+              <p>
+                If the point R, encoded in the first half of |signature|,
+                represents an invalid point or a small-order element
+                on the Elliptic Curve of Ed448, [= exception/throw =] an {{OperationError}}.
+              </p>
+            </li>
             <li>
               <p>
                 Perform the Ed448 verification steps, as specified in [[RFC8032]],