Signature counters exist in makeCredential too #1370
Comments
|
@agl to create PR |
agl
added a commit
to agl/webauthn
that referenced
this issue
Mar 18, 2020
This section did not reflect the specified behaviour for signature counters and did not mention that they are returned in makeCredential responses too. See linked bug for details. Fixes w3c#1370
equalsJeffH
added a commit
that referenced
this issue
Apr 2, 2020
* Update signature counters section. This section did not reflect the specified behaviour for signature counters and did not mention that they are returned in makeCredential responses too. See linked bug for details. Fixes #1370 * Apply suggestions from code review Including Jeff and Emil's comments. Co-authored-by: =JeffH <jdhodges@google.com> Co-authored-by: Emil Lundberg <emil@emlun.se>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The section of the spec about signature counters doesn't mention that they're provided by makeCredential as well as in assertions. The semantics of the makeCredential signature counter are missing.
For U2F authenticators, the signature counter in the makeCredential response will always be zero. At least some CTAP2 authenticators provide a non-zero counter. At least some CTAP2 authenticators increment a global signature counter when performing a makeCredential.
Step 10 of the makeCredential algorithm does say things, but it's a little at odds with reality: nearly all U2F authenticators use a global signature counter but browsers have to make an authenticatorData from a U2F registration response (which doesn't have a counter) and thus insert a value of zero, not the global value.
If we believe that other parts of the spec are correct, then the section on signature counters needs to be updated to talk about makeCredential counters.
The text was updated successfully, but these errors were encountered: