[webauthn] Signature counters exist in makeCredential too (#1370) from Adam Langley via GitHub on 2020-02-03 (public-webauthn@w3.org from February 2020)

From: Adam Langley via GitHub <sysbot+gh@w3.org>
Date: Mon, 03 Feb 2020 20:30:04 +0000
To: public-webauthn@w3.org
Message-ID: <issues.opened-559316140-1580761802-sysbot+gh@w3.org>

agl has just created a new issue for https://github.com/w3c/webauthn:

== Signature counters exist in makeCredential too ==
The section of the spec about [signature counters](https://w3c.github.io/webauthn/#sctn-sign-counter) doesn't mention that they're provided by makeCredential as well as in assertions. The semantics of the makeCredential signature counter are missing.

For U2F authenticators, the signature counter in the makeCredential response will always be zero. At least some CTAP2 authenticators provide a non-zero counter. At least some CTAP2 authenticators increment a global signature counter when performing a makeCredential.

Step 10 of the [makeCredential algorithm](https://w3c.github.io/webauthn/#sctn-op-make-cred) does say things, but it's a little at odds with reality: nearly all U2F authenticators use a global signature counter but browsers have to make an authenticatorData from a U2F registration response (which doesn't have a counter) and thus insert a value of zero, not the global value.

If we believe that other parts of the spec are correct, then the [section on signature counters](https://w3c.github.io/webauthn/#sctn-sign-counter) needs to be updated to talk about makeCredential counters.

Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1370 using your GitHub account

Received on Monday, 3 February 2020 20:30:05 UTC