- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Mon, 25 Sep 2017 12:52:55 +0000
- To: public-webauthn@w3.org
Of course the RP can already choose no accept it or not, but if you really lawyer it up on ยง6.1 it technically doesn't allow the RP to refuse duplicate credential IDs. :) I see two main reasons for recommending against accepting duplicates: - It reduces the importance of credential IDs being very unique - It reduces the risk of RPs implementing lookups in a way vulnerable to DoS attack similar to the [attack][atk] on many HTTP servers that made a splash a few years ago: A table with credential ID as key and a linked list of usernames/public keys/etc as value. An attacker could take such an implementation down by registering the same credential ID an unlimited _N_ times and then causing the server to look it up _M_ times at _O(N)_ time complexity - so the attacker's _O(N + M)_ operations would be amplified to _O(N<sup>2</sup> + NM)_ operations on the server. [atk]: http://ocert.org/advisories/ocert-2011-003.html -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/579#issuecomment-331871211 using your GitHub account
Received on Monday, 25 September 2017 12:52:47 UTC