- From: John Bradley <jbradley@yubico.com>
- Date: Fri, 22 Sep 2017 14:08:47 -0300
- To: Jakob Ehrensvard <jakob@yubico.com>
- Cc: Johan Verrept via GitHub <sysbot+gh@w3.org>, W3C WebAuthn WG <public-webauthn@w3.org>
I think that is the correct thing to do. I think the concern is that other devices may try and scope the credential id to the user_id or the token during make credential. If they produce credential id that are from 1 to x then anyone who tries to create a global index for credential id is going to be stuffed. It seems to me that any authenticator that is not attempting to create a globally unique credential id should be considered broken. If we are having RP reject duplicate credential_id then we should be sure that a new credential_id/key is generated for each new make credential. Otherwise the user will be stuck in the unlikely event of a collision. John B. > On Sep 21, 2017, at 3:11 PM, Jakob Ehrensvärd <jakob@yubico.com> wrote: > >> Credential IDs are not guaranteed unique in any way. Unless I missed >> something in the specs, it is perfectly valid to store all data locally and >> return a single byte key index. > > Then, I believe I've missed something important here. The credential > ID must be a unique identifier, just like the U2F key handle. We make > the CTAP2 credential ID equal to the U2F key handle, so a U2F > credential can be used with WebAuthN and vice-versa. > > For resident credentials, we generate a credential ID from the public > key, making this a 128-bit identifier. > > Did I ge this wrong ? > >
Received on Friday, 22 September 2017 17:09:35 UTC