Re: [webauthn] Delete per RP ID Signature counters

Thanks, this is a good observation.

>which (if I'm not mistaken) also means that a given Public Key Credential Source will only be used for a single credential.

Yes, this is correct.

Furthermore, [§6.1.1. Signature Counter Considerations][cons] doesn't mention per-credential counters at all, and strongly recommends per-RP ID counters. It also specifies that authenticators MUST implement a signature counter, which is not true. In previous discussion in the WG we decided to allow authenticators to opt out of implementing a signature counter by keeping the signature count at constant zero (see and for context) - and [§7.2. Verifying an authentication assertion][rp] mirrors this by instructing validate the signature counter only if it is nonzero.


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Tuesday, 24 April 2018 12:10:28 UTC