W3C home > Mailing lists > Public > public-webauthn@w3.org > April 2018

Re: [webauthn] Delete per RP ID Signature counters

From: Emil Lundberg via GitHub <sysbot+gh@w3.org>
Date: Wed, 25 Apr 2018 18:15:03 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-384383582-1524680101-sysbot+gh@w3.org>
Per-credential signature counters are already mentioned in step 10 of [authenticatorMakeCredential][amk], but not in [§6.1.1. Signature Counter Considerations][sig-cons].

The current recommendation ("should...") in [§6.1.1. Signature Counter Considerations][sig-cons] is to use per-RP ID counters. @limpkin is suggesting

1. changing this recommendation to per-credential counters instead, and
2. removing the mentions of per-RP ID counters.

We could opt for doing both (1) and (2), or only (1), or neither.

(1) is not a breaking change; (2) could technically make authenticators non-conforming (if any exist), depending on how strictly you read the spec, but wouldn't break any interoperability.

I support doing (1), I'm indifferent to (2), and I do not object to doing neither.

[amk]: https://w3c.github.io/webauthn/#op-make-cred
[sig-cons]: https://w3c.github.io/webauthn/#sign-counter

-- 
GitHub Notification of comment by emlun
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/871#issuecomment-384383582 using your GitHub account
Received on Wednesday, 25 April 2018 18:15:09 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 07:26:32 UTC