W3C home > Mailing lists > Public > public-webauthn@w3.org > September 2017

Re: [webauthn] Credential ID uniqueness expectations are inconsistent/vague

From: Ki-Eun Shin via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Sep 2017 07:38:15 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-331800911-1506325083-sysbot+gh@w3.org>
@emlun Yes. Credential Ids are generated randomly by authenticators during registration.
Comparing to U2F and WebAuthn, in UAF the probability of credential Id duplication is low. And with tuple of AAID (aaguid), keyID (credential Id), the server can locate credential public key and user id. So, if we have AAGUID for the first factor authenticators, we can avoid credential duplication problems.
For the second factor cases such as U2F, the server already know the user id by nature before sending challenge so that the server doesn't have to look up user record with credential Id.

-- 
GitHub Notification of comment by Kieun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331800911 using your GitHub account
Received on Monday, 25 September 2017 07:38:06 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:27 UTC