Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague from Ki-Eun Shin via GitHub on 2017-09-25 (public-webauthn@w3.org from September 2017)

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Sep 2017 07:38:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-331800911-1506325083-sysbot+gh@w3.org>

@emlun Yes. Credential Ids are generated randomly by authenticators during registration.
Comparing to U2F and WebAuthn, in UAF the probability of credential Id duplication is low. And with tuple of AAID (aaguid), keyID (credential Id), the server can locate credential public key and user id. So, if we have AAGUID for the first factor authenticators, we can avoid credential duplication problems.
For the second factor cases such as U2F, the server already know the user id by nature before sending challenge so that the server doesn't have to look up user record with credential Id.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331800911 using your GitHub account

Received on Monday, 25 September 2017 07:38:06 UTC