[webauthn] Credential ID uniqueness expectations are inconsistent/vague from Emil Lundberg via GitHub on 2017-09-22 (public-webauthn@w3.org from September 2017)

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Fri, 22 Sep 2017 09:51:53 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-259762230-1506073902-sysbot+gh@w3.org>

emlun has just created a new issue for https://github.com/w3c/webauthn:

== Credential ID uniqueness expectations are inconsistent/vague ==
As pointed out in #558, the requirements on the uniqueness of the credential ID are not completely clear.

[§4.1. PublicKeyCredential Interface][att-resp] reads:

>[[identifier]]
>[...] This identifier is used to look up credentials for use, and is therefore **expected to be globally unique with high probability** across all credentials of the same type, across all authenticators. This API does not constrain the format or length of this identifier, except that it **must be sufficient for the platform to uniquely select a key**. [...]

[§4.2.1 Information about Public Key Credential (interface AuthenticatorAttestationResponse)][att-resp], point `attestationObject` reads:

>[...] [the authenticator data] contains the AAGUID, **a unique credential ID**, and the credential public key. [...]

[§5. WebAuthn Authenticator model][authenticator-model] reads:

>[...] Each public key credential has an identifier which is **unique (or extremely unlikely to be duplicated) among all public key credentials**. [...]


[§5.2.1. The authenticatorMakeCredential operation][auth-make-cred] reads:

>When this operation is invoked, the authenticator must perform the following procedure:
>[...]
>Generate an identifier for this credential, such that this identifier is **globally unique with high probability** across all credentials with the same type across all authenticators.

(All emphasis added)

In summary, the uniqueness of the credential ID is specified as

- "expected to be" probably globally unique for all public key credentials
- informally required to be unique with undefined scope
- informally required to be probably globally unique
- formally required to be probably globally unique
- formally required only to be unique among the public key credentials available at a given time when one is needed

I suggest that

 1. the requirements on credential ID uniqueness be specified only once - for example in §4.1 where it is defined or in §5.2.1 which defines how it should be generated.
 2. a concrete requirement is given instead of "with a high probability" - for example "with a probability greater than 1 - 2^150" (this value would mean a collision chance < 1E-9 at 1E18 credential IDs generated).

[att-resp]: https://www.w3.org/TR/webauthn/#iface-authenticatorattestationresponse
[auth-make-cred]: https://www.w3.org/TR/webauthn/#op-make-cred
[authenticator-model]: https://www.w3.org/TR/webauthn/#authenticator-model
[id-attr]: https://www.w3.org/TR/webauthn/#dom-publickeycredential-identifier-slot


Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579 using your GitHub account

Received on Friday, 22 September 2017 09:51:44 UTC