Re: [webauthn] Make signature counters a MAY ? (#1590) from Firstyear via GitHub on 2021-04-06 (public-webauthn@w3.org from April 2021)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Tue, 06 Apr 2021 02:09:06 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-813770621-1617674944-sysbot+gh@w3.org>

> @Firstyear Counter must always go UP. Server should reject the assertion if counter has not increased(excluding when counter is always 0)

Yes, when the counter is working correctly. But in a replay attack, or cloned authenticator when it steps backwards, because the webauthn spec uses this statement on the matter:

> Whether the Relying Party updates storedSignCount in this case, or not, or fails the authentication ceremony or not, is Relying Party-specific.

It means people may implement this incorrectly. As a standard, there should be clear, unambiguous language about how an RP should handle this situation, because if there is not, people can and will implement it incorrectly. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1590#issuecomment-813770621 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Tuesday, 6 April 2021 02:09:07 UTC