Re: [webauthn] Delete per RP ID Signature counters

I think the decision to include signature counters has been settled at this point.

I think the suggestion in the spec that signature counters be per-RP (rather than per-credential) was probably just a mistake? We do not otherwise assume that an RP gets to learn information about other credentials for that RP in the same authenticator, as far as I can recall. (Indeed the term “per-RP” only appears in this context in the spec.)

@emlun points out that we also have an inconsistency in the spec too: [here]( we say “Authenticators MUST implement a signature counter feature” but [here]( (step 17) a zero signature counter is allowed.

(I obviously think that we should align with the latter of the two.)

GitHub Notification of comment by agl
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 25 April 2018 18:14:49 UTC