- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Fri, 22 Sep 2017 09:53:15 +0000
- To: public-webauthn@w3.org
@jovasco They are not _guaranteed_ unique, no, but they are required to be globally unique with a high probability (see #579). Of course this leaves the reader to judge exactly what qualifies as "high" probability. Your example with a single byte key index is technically valid, but only if the authenticator regards 0 as a "high probability". RPs will need to be prepared to handle some duplicate credential IDs, but not reasonably on the order of thousands or even hundreds. However it should probably be mentioned in implementation considerations to try to keep credential ID lookup complexity low, to prevent DoS attacks by registering a billion accounts with the same credential ID. That vulnerability is neatly solved by also providing the user ID as suggested here. [make-cred]: https://www.w3.org/TR/webauthn/#op-make-cred -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/pull/558#issuecomment-331404042 using your GitHub account
Received on Friday, 22 September 2017 09:53:06 UTC