W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

From: Johan Verrept via GitHub <sysbot+gh@w3.org>
Date: Fri, 22 Sep 2017 12:10:05 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-331429546-1506082193-sysbot+gh@w3.org>
Actually, that's a lot more requirements than I found with a quick search, I only found the reference in 4.2.1.

@akshayu It's not possible to guarantee this as the authenticator does not have the required context and vendors do not know how other vendors generate Credential IDs. Collisions are always possible.

@emlun There is little point to that probability requirement in that form as it cannot be verified or guaranteed. I am not an expert in encryption theory so I can be wrong but since each authenticator uses a unique wrapping key, the uniqueness can be designed for the value being wrapped but this does not guarantee the resulting key handle has the same uniqueness across different authenticators. If this is correct, a vendor cannot even guarantee it for his own authenticators let alone globally. I only see one sane way to implement this: generate 150 random bits and add them to the wrapped value. It will work but is a huge waste of space.

How about a 32 byte minimum length of a value generated by a cryptographic operation?

GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331429546 using your GitHub account
Received on Friday, 22 September 2017 12:09:56 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC