W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Consider allowing authenticators to randomise signed hashes.

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Tue, 05 Sep 2017 21:17:25 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327306174-1504646235-sysbot+gh@w3.org>
In any case, putting this in an extension is highly problematic because extensions are optional, and a side-channel defense that the attacker can choose to deny to the token isn't useful.

Repurposing the signature counter seemed like a solid win because we eliminate the counter (which I believe would be positive) and can use those bytes for optional randomisation. However, it all depends on eliminating the signature counter, and enough people seem to believe that it still has value.

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/453#issuecomment-327306174 using your GitHub account
Received on Tuesday, 5 September 2017 21:17:24 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC