Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

I agree the RP SHOULD refuse a duplicate credential id.   I would make that a MUST but some may only be indexing credential id by user id for starred credentials so might not be able to easily tell if it is duplicate.   Collisions in UUID https://en.wikipedia.org/wiki/Universally_unique_identifier are relatively well understood.  A 16 byte value is probably sufficient.  If the problem is a weak random number generator more bits probably won't help.   Encrypting a random value won't add to the entropy, encrypting a non random value would add entropy from the encryption key assuming that the key changes.

How best to generate it probably depends on the RNG and the quality of its sources of entropy.  Being overly specific may force people to make suboptimal choices for their platform.   Some may have a source of cosmic background radiation and others not so much.    

The point is as random as possible and RP reject duplicates if they detect collisions.



-- 
GitHub Notification of comment by ve7jtb
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331472695 using your GitHub account

Received on Friday, 22 September 2017 15:03:41 UTC