Re: [webauthn] Delete per RP ID Signature counters

Per-credential signature counters are already mentioned in step 10 of [authenticatorMakeCredential][amk], but not in [§6.1.1. Signature Counter Considerations][sig-cons].

The current recommendation ("should...") in [§6.1.1. Signature Counter Considerations][sig-cons] is to use per-RP ID counters. @limpkin is suggesting

1. changing this recommendation to per-credential counters instead, and
2. removing the mentions of per-RP ID counters.

We could opt for doing both (1) and (2), or only (1), or neither.

(1) is not a breaking change; (2) could technically make authenticators non-conforming (if any exist), depending on how strictly you read the spec, but wouldn't break any interoperability.

I support doing (1), I'm indifferent to (2), and I do not object to doing neither.


GitHub Notification of comment by emlun
Please view or discuss this issue at using your GitHub account

Received on Wednesday, 25 April 2018 18:15:09 UTC