W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Delete per RP ID Signature counters

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Tue, 24 Apr 2018 12:10:22 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-383907279-1524571821-sysbot+gh@w3.org>
Thanks, this is a good observation.

>which (if I'm not mistaken) also means that a given Public Key Credential Source will only be used for a single credential.

Yes, this is correct.

Furthermore, [§6.1.1. Signature Counter Considerations][cons] doesn't mention per-credential counters at all, and strongly recommends per-RP ID counters. It also specifies that authenticators MUST implement a signature counter, which is not true. In previous discussion in the WG we decided to allow authenticators to opt out of implementing a signature counter by keeping the signature count at constant zero (see https://github.com/w3c/webauthn/pull/539#issuecomment-327575050 and https://github.com/w3c/webauthn/pull/539#issuecomment-326831893 for context) - and [§7.2. Verifying an authentication assertion][rp] mirrors this by instructing validate the signature counter only if it is nonzero.

[cons]: https://www.w3.org/TR/webauthn/#sign-counter
[rp]: https://www.w3.org/TR/webauthn/#verifying-assertion

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-383907279 using your GitHub account
Received on Tuesday, 24 April 2018 12:10:28 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC