[webauthn] Delete per RP ID Signature counters

limpkin has just created a new issue for https://github.com/w3c/webauthn:

== Delete per RP ID Signature counters ==
Section 6.1.1 mentions:  
  
> (The authenticator) should implement per RP-ID signature counters. This prevents the signature counter value from being shared between Relying Parties and being possibly employed as a correlation handle for the user. Authenticators may implement a global signature counter, i.e., on a per-authenticator basis, but this is less privacy-friendly for users.
  
A global signature counter may hypothetically allow several websites to identify a given user even if said user uses different IP addresses and other means of covering his tracks.  
The per RP-ID suggestion is therefore a great improvement. It however does (IMHO) only offers a "half way" compromise as it would allow a given RP to identify the different aliases of a given user for a given RP through his per RP-ID counter.  

Section 6.2.2, step 10 then mentions the possibility of a "per credential signature counter" which does offer the best solution regarding privacy-concerned users.  

The question I therefore would like to ask is : why offer the possibility to authenticators to implement per RP-ID credential counters when the privacy friendly and non-privacy friendly alternatives are available?  
I would then suggest adding a counter to the Public Key Credential Source structure, especially given the fact that "an authenticator will never contain more than one credential for a given Relying Party under the same user handle." (from 4. Terminology), which (if I'm not mistaken) also means that a given Public Key Credential Source will only be used for a single credential.

I'm still digging into the spec so I apologize if I may have missed some important info.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871 using your GitHub account

Received on Sunday, 15 April 2018 12:25:09 UTC