- Server Conformance Make Credential Response - 2 Updates
- Conditional UI (auto-fill) - 2 Updates
- About CTAP2.1_PRE,I have some questions to ask - 3 Updates
- Case of stolen device and same key by muliple user - 2 Updates
- Correos electrónicos Amex_07_atWork_EBTA.pdf - 1 Update
- Digest for fido...@fidoalliance.org - 3 updates in 3 topics - 1 Update
Jo Stevens <jo.st...@rocksolidknowledge.com>: Nov 23 09:13AM -0800
Hi Guys, I hope this is the right forum for this.
I'm running through the Fido Server Conformance tools and I've got one
failing test
Server-ServerAuthenticatorAttestationResponse-Resp-5 Test server processing
"packed" FULL attestation
F-10 Send ServerAuthenticatorAttestationResponse with FULL "packed"
attestation, with attStmt.x5c containing full chain, and check that server
returns an error
The test passes where it should fail.
Could someone help explain why this should fail? A Full attestation means
it requires a chain and a full chain means to me it's a valid chain. Very
difficult to isolate and debug any of these tests so I'm a little stuck.
Thanks,
Jo
Shane Weeden <shane....@gmail.com>: Nov 24 05:16AM +1000
I am aware of this test and personally think the test case is overly restrictive and wrong. That said, I believe I can at least explain what is happening.
According to section 6.1 of https://datatracker.ietf.org/doc/html/rfc5280:
"A certificate MUST NOT appear more than once in a prospective
certification path."
In that test case, the rootCA is included in the x5c of the attestation response. You then try find a trust root from matching metadata.My understanding is that the test authors believe this constitutes a duplicate certificate in the certification path because the CA appears twice at the end.
Clearly the authors of the Java certificate validation code I am using don’t think so, because if you take a trust chain that includes a CA, and match it against a copy of that CA, then it works without error.
Similarly if you take a self-signed cert you can do the same thing.
Anyway, that’s what I believe is happening.
Regards,
Shane.
Steven li <changa...@gmail.com>: Nov 22 07:12PM -0800
Hi guys,
I have some questions to ask
1. If the USB authenticator supports both CTAP2.1 and CTAP2.0, does it also
need to support CTAP2.1_PRE?
2. In the conformance tool of CTAP2.1_PRE, are there any test items that
can be verified?
Thanks,
Steven
Ackermann Yuriy <ackerma...@gmail.com>: Nov 23 03:34PM +0900
CTAP2.1 PRE is a compatibility flag that specifies that device supports
experimental bioenroll and/or credmanapi
The CTAP2.1 conformant device may advertise PRE as well so long it supports
bioenroll and credmanapi on the experimental HID cmds.
1. No. It does not have to, but it is adviced.
2. FIDO does not explicitly tests PRE as this is informal spec. But if you
do CTAP2.1 certification then you will have bioenroll/credmanapi tested
--
Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand <https://github.com/herrjemand>
twitter: @herrjemand <https://twitter.com/herrjemand>
medium: @herrjemand <https://medium.com/@herrjemand>
Steven li <changa...@gmail.com>: Nov 23 01:36AM -0800
Hi Ackermann,
Thank you for your prompt reply.
Steven
Ackermann Yuriy 在 2022年11月23日 星期三下午2:34:40 [UTC+8] 的信中寫道:
hetin k <het...@gmail.com>: Nov 23 11:08AM +0530
Thank you all.
As Negras <negra...@gmail.com>: Nov 23 05:40AM
Gaukite „Outlook“, skirta „Android“<https://aka.ms/AAb9ysg>
________________________________
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of hetin k <het...@gmail.com>
Sent: Wednesday, November 23, 2022 7:38:38 AM
To: My1 <teamhyd...@gmail.com>
Cc: Emil Lundberg <em...@yubico.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Tim Cappalli <Tim.Ca...@microsoft.com>
Subject: Re: [FIDO-DEV] Case of stolen device and same key by muliple user
Thank you all.
On Wed, 23 Nov 2022 at 02:52, My1 <teamhyd...@gmail.com<mailto:teamhyd...@gmail.com>> wrote:
I would also add the date of creation AND last use, in order to prevent any swaparound ideas (e.g. deleting an existing Key and adding a new one under the same name.
Also a notification if anything is changed on the security key side can also be a good option.
While maybe not fool proof there are ways. for example FIDO is generally associated with 2FA, be that a password on the Site, or plain and simple UV for the token.
@tim I dont think you even need credprotect on that front as long as the site makes sure there's SOME SORT of second factor involved.
I mean no matter what credprotect states, if the site forces a password, or even better just UV, the attacker wont get in, without having that.
Regards
My1
> does stolen device case come under threat model of security key? Does relying party has any concern over stolen device?
Yes, the user needs to protect their security key from theft much like they would protect a password or house key. RPs should allow users to add and remove security keys at any time so the user can "revoke" keys they've lost. Ideally, RPs should also allow users to set nicknames for their keys to help keep track of which is which.
>is it legitimate to use same key by multiple user? does standard has any guidelines regarding this or it is based on relying party policy?
Yes, it is legitimate - both using the same authenticator for multiple accounts, and multiple persons using the same authenticator with a shared account. If the authenticator is well-behaved, the RP cannot tell whether it is being used with multiple accounts or by multiple persons.
Emil Lundberg
Software Engineer | Yubico<http://www.yubico.com/>
On Tue, Nov 22, 2022 at 2:52 PM hetin k <het...@gmail.com<mailto:het...@gmail.com>> wrote:
Hi all,
does stolen device case come under threat model of security key? Does relying party has any concern over stolen device?
is it legitimate to use same key by multiple user? does standard has any guidelines regarding this or it is based on relying party policy?
Thanks
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8f4b49cd-91ed-4bac-a631-dbe6cc8a76cbn%40fidoalliance.org<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8f4b49cd-91ed-4bac-a631-dbe6cc8a76cbn%40fidoalliance.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkwQdcDQFmkpndozfmgUhcwY0Te%3DT%3D9_72B6oGM9_2RYFw%40mail.gmail.com<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkwQdcDQFmkpndozfmgUhcwY0Te%3DT%3D9_72B6oGM9_2RYFw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAL-7hFQfev-MybWSfA%3DhYP2G5Hb89TGTPXVobNRorQD1XXdiUw%40mail.gmail.com<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAL-7hFQfev-MybWSfA%3DhYP2G5Hb89TGTPXVobNRorQD1XXdiUw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
"Perla nallely Guadalupe Alejandre Ramón" <nallelyale...@gmail.com>: Nov 22 08:36PM -0600
Este es un PDF bajado de Chrome beta donde se pidió un préstamo de 26
millones de dólares cuando nunca llegó la tarjeta de mi aplicación de sping
Oxxo el dinero no aparece según ise una compra en la madrugada cuando me
autorizaron la disponibilidad de mi dinero ise una transferencia de mi
wallet en mercado pago tampoco aparece en mi tarjeta de banjercito metí el
enlace y dice que borre mi cuenta y desconecto mi Chrome beta el dinero en
los bancos no está a nombre mio y si an gastado dinero de las cuentas
robaron mi identidad todas esas foto capturas las tengo sinceramente busco
soluciones inmediatas yo creo que arrebaso los límites faltan los demás
pero se los mando conozco mis derechos me aprendí los artículos militares
ya que mi esposo trai los libros y gracias a eso aprendí 17 auditorías me
isieron y me quitaron dinero entre mis investigaciones recopile sus fraudes
sus asuntos ilícitos y los abusos amenazas que le an hecho a otras personas
y todavía quiere el 50% de mis ganancias que no los puedo mal recomendar ni
hablar mal de ellos pero ellos si pueden hablar mal de mi pues cuando
ingresé a mi data españa poco les faltó y me golpean son 17 años que le han
sacado un excelente provecho para que me diga ratera y que avía agarrado lo
que no es mío yo lo siento mucho pero creo estás son cosas que no puedo
callar y las personas deben saber gracias a Dios que soy una ignorante sin
título pero no tengo ni antecedentes penales no robo a nadie y con mucho
orgullo digo mi dinero es limpio sin perjudicar a nadie el fraude es un
delito mayor y la estafa es mucho más grabe ya que es internacional la
estorción tecnológica el robo de datos firma he identidad y no pienso
quedarme callada además no verifican mi cuenta porque tendría que hacer una
rueda de prensa y no les conviene independientemente s 👍🏻e iso pasar por
las autoridades federales IRS etc y todavía sigue bloqueando mi cuenta y
tal vez si soy ratera pero mi mamá dice que ladrón que roba ladrón tiene
mil años de perdón y más cuando es para hacer cosas buenas ahora así como
exigen nesesito soluciones inmediatas
"Perla nallely Guadalupe Alejandre Ramón" <nallelyale...@gmail.com>: Nov 22 04:59PM -0600
Disculpe si tal vez crea que soy grosera hasta me duele mi cabeza cambiando
la contraseña y cuando pienso que ya tendré acceso más demoro en salir que
ellos en volver a cambiarla somos personas adultas y tienen más educación
que yo creo también tienen más entendimiento se que he sido grosera pero
también lo fueron ellos conmigo les pido disculpas deben entender que su
comportamiento solo complica más está situación
El lun., 21 de noviembre de 2022 4:58 p. m., <fido...@fidoalliance.org>
escribió:
You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page.
To unsubscribe from this group and stop receiving emails from it send an email to fido-dev+u...@fidoalliance.org.