- From: John Bradley via GitHub <sysbot+gh@w3.org>
- Date: Fri, 08 Sep 2017 16:48:51 +0000
- To: public-webauthn@w3.org
In implementation considerations 2.6 the counter should start at 0. In the limited tests I can do with the uninitialized key I have it send one for the first authentication but I am guessing that just happened to be one vendors implementation. A key sending 0 would be perfectly valid according to my reading of the spec, and I would probably have interpreted it that way. I think the better solution is to ignore all negative numbers in verification as those don't support a counter. That lets people use a negative random value to protect against power analysis if they want, and it will be ignored by the verifier. Basically Jakobs proposal. -- GitHub Notification of comment by ve7jtb Please view or discuss this issue at https://github.com/w3c/webauthn/issues/125#issuecomment-328156198 using your GitHub account
Received on Friday, 8 September 2017 16:48:47 UTC