W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Sign counter alg 507

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 11 Sep 2017 13:18:54 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-328526180-1505135925-sysbot+gh@w3.org>
> If the user logs in first, after the attacker cloned the device but before the attacker uses the cloned device, it is the current login (from the attacker) that is the problem.

Yes, that cloning event will be missed. But, as noted above, there are several scenarios where the signature counter will miss a cloning event. I suppose one could argue that the fewer the better.

(I don't know whether any existing tokens are already depending on zero being ignored. So far I've not observed any that don't have a single, global counter.) 

GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/pull/539#issuecomment-328526180 using your GitHub account
Received on Monday, 11 September 2017 13:18:48 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC