- From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
- Date: Wed, 16 Aug 2017 21:09:51 +0000
- To: public-webauthn@w3.org
To link everything up, @agl suggests in #453 that the counter field be repurposed for a place to inject some random data that authenticators can use to frustrate differential power analysis. In https://github.com/w3c/webauthn/issues/507#issuecomment-322845730, @equalsJeffH recorded the statement in this morning's call that the counters are used to detect cloned authenticators, at least in the case that the authenticator maintains a count at all. I also remember a statement (maybe from @rlin1?) that RPs need to detect whether or not an authenticator maintains the counter in order to know whether to try to use it to detect cloned authenticators, but I didn't catch the bits in the protocol that would let the RP detect that. The fix for this issue should describe the algorithm the RP needs to run. If that algorithm can distinguish an unused-but-nonzero counter from a used counter, that might suffice to let some authenticators add randomness using the "counter" field, as desired in #453. -- GitHub Notification of comment by jyasskin Please view or discuss this issue at https://github.com/w3c/webauthn/issues/125#issuecomment-322900204 using your GitHub account
Received on Wednesday, 16 August 2017 21:09:55 UTC