- From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
- Date: Tue, 24 Apr 2018 12:10:22 +0000
- To: public-webauthn@w3.org
Thanks, this is a good observation. >which (if I'm not mistaken) also means that a given Public Key Credential Source will only be used for a single credential. Yes, this is correct. Furthermore, [§6.1.1. Signature Counter Considerations][cons] doesn't mention per-credential counters at all, and strongly recommends per-RP ID counters. It also specifies that authenticators MUST implement a signature counter, which is not true. In previous discussion in the WG we decided to allow authenticators to opt out of implementing a signature counter by keeping the signature count at constant zero (see https://github.com/w3c/webauthn/pull/539#issuecomment-327575050 and https://github.com/w3c/webauthn/pull/539#issuecomment-326831893 for context) - and [§7.2. Verifying an authentication assertion][rp] mirrors this by instructing validate the signature counter only if it is nonzero. [cons]: https://www.w3.org/TR/webauthn/#sign-counter [rp]: https://www.w3.org/TR/webauthn/#verifying-assertion -- GitHub Notification of comment by emlun Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-383907279 using your GitHub account
Received on Tuesday, 24 April 2018 12:10:28 UTC