- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Wed, 25 Apr 2018 18:15:03 +0000
- To: public-webauthn@w3.org
Per-credential signature counters are already mentioned in step 10 of [authenticatorMakeCredential][amk], but not in [§6.1.1. Signature Counter Considerations][sig-cons].
The current recommendation ("should...") in [§6.1.1. Signature Counter Considerations][sig-cons] is to use per-RP ID counters. @limpkin is suggesting
1. changing this recommendation to per-credential counters instead, and
2. removing the mentions of per-RP ID counters.
We could opt for doing both (1) and (2), or only (1), or neither.
(1) is not a breaking change; (2) could technically make authenticators non-conforming (if any exist), depending on how strictly you read the spec, but wouldn't break any interoperability.
I support doing (1), I'm indifferent to (2), and I do not object to doing neither.
[amk]: https://w3c.github.io/webauthn/#op-make-cred
[sig-cons]: https://w3c.github.io/webauthn/#sign-counter
--
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-384383582 using your GitHub account
Received on Wednesday, 25 April 2018 18:15:09 UTC