W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Delete per RP ID Signature counters

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Wed, 25 Apr 2018 18:14:46 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-384383486-1524680085-sysbot+gh@w3.org>
I think the decision to include signature counters has been settled at this point.

I think the suggestion in the spec that signature counters be per-RP (rather than per-credential) was probably just a mistake? We do not otherwise assume that an RP gets to learn information about other credentials for that RP in the same authenticator, as far as I can recall. (Indeed the term &ldquo;per-RP&rdquo; only appears in this context in the spec.)

@emlun points out that we also have an inconsistency in the spec too: [here](https://www.w3.org/TR/webauthn/#sign-counter) we say &ldquo;Authenticators MUST implement a signature counter feature&rdquo; but [here](https://www.w3.org/TR/webauthn/#verifying-assertion) (step 17) a zero signature counter is allowed.

(I obviously think that we should align with the latter of the two.)

-- 
GitHub Notification of comment by agl
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-384383486 using your GitHub account
Received on Wednesday, 25 April 2018 18:14:49 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC