I think the decision to include signature counters has been settled at this point. I think the suggestion in the spec that signature counters be per-RP (rather than per-credential) was probably just a mistake? We do not otherwise assume that an RP gets to learn information about other credentials for that RP in the same authenticator, as far as I can recall. (Indeed the term “per-RP” only appears in this context in the spec.) @emlun points out that we also have an inconsistency in the spec too: [here](https://www.w3.org/TR/webauthn/#sign-counter) we say “Authenticators MUST implement a signature counter feature” but [here](https://www.w3.org/TR/webauthn/#verifying-assertion) (step 17) a zero signature counter is allowed. (I obviously think that we should align with the latter of the two.) -- GitHub Notification of comment by agl Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-384383486 using your GitHub accountReceived on Wednesday, 25 April 2018 18:14:49 UTC
This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC