- From: Adam Langley via GitHub <sysbot+gh@w3.org>
- Date: Wed, 25 Apr 2018 18:14:46 +0000
- To: public-webauthn@w3.org
I think the decision to include signature counters has been settled at this point. I think the suggestion in the spec that signature counters be per-RP (rather than per-credential) was probably just a mistake? We do not otherwise assume that an RP gets to learn information about other credentials for that RP in the same authenticator, as far as I can recall. (Indeed the term “per-RP” only appears in this context in the spec.) @emlun points out that we also have an inconsistency in the spec too: [here](https://www.w3.org/TR/webauthn/#sign-counter) we say “Authenticators MUST implement a signature counter feature” but [here](https://www.w3.org/TR/webauthn/#verifying-assertion) (step 17) a zero signature counter is allowed. (I obviously think that we should align with the latter of the two.) -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-384383486 using your GitHub account
Received on Wednesday, 25 April 2018 18:14:49 UTC