W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Sign counter alg 507

From: John Bradley via GitHub <sysbot+gh@w3.org>
Date: Wed, 06 Sep 2017 19:59:09 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-327596228-1504727939-sysbot+gh@w3.org>
I agree that there is value in keeping the counter.   The question may be if we should encourage manufacturers that cant send per credential counters to send 0  rather than a global counter to protect privacy.

The Rich OS level software should have no storage issues around per credential counters. 
For secure element devices without stored credentials it is probably better to have no counter than a global one from a privacy perspective.

I think the validation rules you propose are reasonable.   If 0  is a valid value (I guess for make cred) then -1 should be used to indicate no counter supported for credential.

I will look for the other document Jeff mentioned to see if there is some value in a nonce contributed by the device.

John B.

GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-327596228 using your GitHub account
Received on Wednesday, 6 September 2017 19:59:05 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC