You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The section of the spec about signature counters doesn't mention that they're provided by makeCredential as well as in assertions. The semantics of the makeCredential signature counter are missing.
For U2F authenticators, the signature counter in the makeCredential response will always be zero. At least some CTAP2 authenticators provide a non-zero counter. At least some CTAP2 authenticators increment a global signature counter when performing a makeCredential.
Step 10 of the makeCredential algorithm does say things, but it's a little at odds with reality: nearly all U2F authenticators use a global signature counter but browsers have to make an authenticatorData from a U2F registration response (which doesn't have a counter) and thus insert a value of zero, not the global value.
If we believe that other parts of the spec are correct, then the section on signature counters needs to be updated to talk about makeCredential counters.
The text was updated successfully, but these errors were encountered:
This section did not reflect the specified behaviour for signature
counters and did not mention that they are returned in makeCredential
responses too. See linked bug for details.
Fixesw3c#1370
* Update signature counters section.
This section did not reflect the specified behaviour for signature
counters and did not mention that they are returned in makeCredential
responses too. See linked bug for details.
Fixes#1370
* Apply suggestions from code review
Including Jeff and Emil's comments.
Co-authored-by: =JeffH <jdhodges@google.com>
Co-authored-by: Emil Lundberg <emil@emlun.se>
The section of the spec about signature counters doesn't mention that they're provided by makeCredential as well as in assertions. The semantics of the makeCredential signature counter are missing.
For U2F authenticators, the signature counter in the makeCredential response will always be zero. At least some CTAP2 authenticators provide a non-zero counter. At least some CTAP2 authenticators increment a global signature counter when performing a makeCredential.
Step 10 of the makeCredential algorithm does say things, but it's a little at odds with reality: nearly all U2F authenticators use a global signature counter but browsers have to make an authenticatorData from a U2F registration response (which doesn't have a counter) and thus insert a value of zero, not the global value.
If we believe that other parts of the spec are correct, then the section on signature counters needs to be updated to talk about makeCredential counters.
The text was updated successfully, but these errors were encountered: