PerCredentialSignatureCounters

w3c · Jun 6, 2018 · 0b658b0 · 0b658b0
1 parent 0f5b3a8
commit 0b658b0
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/index.bs b/index.bs
@@ -2335,7 +2335,7 @@ follows.
 
 ### <dfn>Signature Counter</dfn> Considerations ### {#sign-counter}
 
-Authenticators MUST implement a [=signature counter=] feature. The [=signature counter=] is incremented for each successful
+Authenticators SHOULD implement a [=signature counter=] feature. The [=signature counter=] is incremented for each successful
 [=authenticatorGetAssertion=] operation by some positive value, and its value is returned to the [=[RP]=] within the
 [=authenticator data=]. The [=signature counter=]'s purpose is to aid [=[RPS]=] in detecting cloned authenticators. Clone
 detection is more important for authenticators with limited protection measures.
@@ -2347,7 +2347,7 @@ An [=[RP]=] stores the [=signature counter=] of the most recent [=authenticatorG
 Detecting a [=signature counter=]  mismatch does not indicate whether the current operation was performed by a cloned authenticator or the original authenticator.  [=[RPS]=] should address this situation appropriately relative to their individual situations, i.e., their risk tolerance. 
 
 Authenticators:
-- should implement per-[=RP ID=] [=signature counters=].  This prevents the 
+- should implement per credential [=signature counters=].  This prevents the 
     [=signature counter=] value from being shared between [=[RPS]=] and being possibly employed 
     as a correlation handle for the user. Authenticators may implement a global [=signature counter=], 
     i.e., on a per-authenticator basis, but this is less privacy-friendly for users. 
@@ -2497,9 +2497,6 @@ When this operation is invoked, the [=authenticator=] MUST perform the following
     identifier=] → [=authenticator extension input=] in |extensions|.
 1. If the [=authenticator=] supports:
     <dl class="switch">
-        :   a per-[=RP ID=] [=signature counter=]
-        ::  allocate the counter, associate it with the 
-              [=RP ID=], and initialize the counter value as zero. 
         :  a global [=signature counter=]
         ::  Use the global [=signature counter=]'s actual value when generating 
               [=authenticator data=].
@@ -2570,7 +2567,7 @@ When this method is invoked, the [=authenticator=] MUST perform the following pr
 
 1. Let |processedExtensions| be the result of [=authenticator extension processing=] [=map/for each=] supported [=extension
     identifier=] → [=authenticator extension input=] in |extensions|.
-1. Increment the [=RP ID=]-associated
+1. Increment the credential associated
     [=signature counter=] or the global [=signature counter=] value, depending on 
     which approach is implemented by the [=authenticator=], by some positive value.
 1. Let |authenticatorData| be the byte array specified in [[#sec-authenticator-data]] including |processedExtensions|, if any, as