Self-testing Tool and Certificates

[Ching Lin]

Hi,

We are currently developing FIDO2 WebAuth external USB key.

We were wondering if we should apply for a certificate signed by FIDO Alliance in advance and use it for self-validation.

Also, when we are implementing our USB key. When is it required for use to written the certificate signed by FIDO Alliance to our key so that FIDO servers can recognize our authenticator?

Best wishes,

Vince

[Arshad Noor]

Vince,

NOTE: I am not speaking for the FIDO Alliance, but am only relating what
I understand of their current process based on my participation within
the FIDO Alliance, and of my experience with X.509 digital certificates
and PKI over 20 years.

FIDO Alliance does not issue X.509 digital certificates for attestation
of Authenticators. The certificate they issue is a "badge for having
passed interoperability tests" - it attests to the fact that your
product has undergone interoperability tests by the FIDO Alliance or its
agents - it looks like the following AFTER you have passed the tests:

https://github.com/StrongKey/fido2

As a manufacturer of an external USB Authenticator (Security Key), if
you choose to provide attestations with your Security Keys to FIDO
servers, you are required to generate your own Attestation key-pair(s),
create your own X.509 digital certificates and inject them in your
Security Keys as part of a secure manufacturing process. How you
implement that process is entirely up to you.

While the FIDO Alliance does not specify details about how Authenticator
manufacturers should create and manage their Attestation Keys and/or
process for their lifecycle, the PKI industry has more than a quarter
century of technical "best practices" pm what makes a trustworthy
digital certificate. While there is no specific book on how to implement
these practices, you can learn from RFCs like RFC-5280 or from the
Certificate Policy (CP) and Certification Practice Statements (CPS) like
those described at https://letsencrypt.org/repository/ and at some
third-party CA websites.

Note that it is NOT required that you use a third-party CA-issued
digital certificate for FIDO attestations (although it is conceivable
that you could use a third-party CA certificate chain for your
Authenticator - but to the best of my knowledge, I'm not sure any
Authenticator currently does (although I could be wrong on that).

Hope that helps.

Arshad Noor
StrongKey

> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e3175992-ad61-460b-bce3-34e7f489d92dn%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e3175992-ad61-460b-bce3-34e7f489d92dn%40fidoalliance.org?utm_medium=email&utm_source=footer>.

[Rolf Lindemann]

Hi Vince,

you should (1) get your Authenticator FIDO certified (https://fidoalliance.org/certification/) and (2) make sure the Metadata Statement of your authenticator gets published on the FIDO Alliance Metadata Service (https://fidoalliance.org/metadata/).

Relying parties will then be able to find all details of your authenticator (incl. your attestation root certificate).

Kind regards,

   Rolf

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e3175992-ad61-460b-bce3-34e7f489d92dn%40fidoalliance.org.

[Ching Lin]

Thank you so much for the reply. 

I really appreciate it. 

I will see how it goes!