Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

Actually, that's a lot more requirements than I found with a quick search, I only found the reference in 4.2.1.

@akshayu It's not possible to guarantee this as the authenticator does not have the required context and vendors do not know how other vendors generate Credential IDs. Collisions are always possible.

@emlun There is little point to that probability requirement in that form as it cannot be verified or guaranteed. I am not an expert in encryption theory so I can be wrong but since each authenticator uses a unique wrapping key, the uniqueness can be designed for the value being wrapped but this does not guarantee the resulting key handle has the same uniqueness across different authenticators. If this is correct, a vendor cannot even guarantee it for his own authenticators let alone globally. I only see one sane way to implement this: generate 150 random bits and add them to the wrapped value. It will work but is a huge waste of space.

How about a 32 byte minimum length of a value generated by a cryptographic operation?


-- 
GitHub Notification of comment by jovasco
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331429546 using your GitHub account

Received on Friday, 22 September 2017 12:09:56 UTC