- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 30 Aug 2017 18:07:39 +0000
- To: public-webauthn@w3.org
> If we are concerned about an authenticator nonce, we could simply add it - independent from the the signature counter. I don't, personally, know the tradeoffs for an authenticator nonce but the last time I had an interaction with a representative from NXP they were very clear that such a thing was useful. But existing FIDO devices don't have such a field and I want to eliminate the signature counter. I don't believe that the signature counter achieves anything and it allows cross-site tracking of tokens. I understand that the theory of signature counters is that an attacker who obtained a private key would be forced to break the legitimate key by advancing the counter. Thus the user would be "informed" of the attack because their key would stop working. But, in practice, that'll be surfaced as an opaque, unactionable error to the user, who will probably just be annoyed that the security key stopped working and re-enroll it. (Presumably with a different key. Maybe they'll figure out they can delete the old token?). If it keeps happening, they'll discard the token and just get another. >From the server's point of view this attack signal is very likely to be drowned out in the noise of tokens failing to do a flash write, corrupting their flash etc, and thus be useless there too. On the other hand, tokens are very likely to use a single counter for all sites because per-site counters require per-site storage in the token. Indeed, the token that I'm using at the moment has a single counter which is currently 1,838. The progression of that value is likely strongly identifying. -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-326072876 using your GitHub account
Received on Wednesday, 30 August 2017 18:07:47 UTC