[webauthn] Why does credentialId need to be unique across all users? (#1403)

epheat has just created a new issue for https://github.com/w3c/webauthn:

== Why does credentialId need to be unique across all users? ==
[Section 7.1.17](https://www.w3.org/TR/webauthn/#registering-a-new-credential) of the WebAuthn specification states that during a registration ceremony, the Relying Party should ensure that the incoming credentialId is not already assigned to any other user.
> 17. Check that the credentialId is not yet registered to any other user. If registration is requested for a credential that is already registered to a different user, the Relying Party SHOULD fail this registration ceremony, or it MAY decide to accept the registration, e.g. while deleting the older registration.

I understand that this is a requirement within the scope of a single user -- if it were allowed, there would be no way to distinguish between the two registered credentials. However, I'm trying to dig deeper into why this is a requirement across all users in the case where the Relying Party decides to key its credentials off the user handle, or even another opaque identifier for which credentialId is just a property.

This issue is discussed in #579, but doesn't go into depth about _why_ the uniqueness restriction is in place. Basically, my question is: when is it appropriate for Relying Parties to break that SHOULD clause in Section 7.1.17? Are there specific threats being mitigated by this uniqueness restriction across all users?

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1403 using your GitHub account

Received on Monday, 6 April 2020 19:43:26 UTC