Trusted certifications of key vendors
60 views
Skip to first unread message
Ziutek Wadowski
Aug 11, 2023, 8:48:00 AM8/11/23
to FIDO Dev (fido-dev)
Hi,
Sprawdź szczegóły
Sprawdź szczegóły
We have implemented a client authentication system based on FIDO2 keys. Unfortunately, sometimes our customers try to register a key that our system rejects. The reason is the lack of a certificate in the list of certified key producers.
The Certificates trust store we downloaded from https://fidoalliance.org/metadata/ (https://mds3.fidoalliance.org/) but some root CA does not exist on list.
These are some examples:
Subject: C=DE, O=Swissbit AG, CN=iShield Key FIDO2, OU=Authenticator Attestation
Issuer: C=DE, O=Swissbit AG, CN=Swissbit FIDO Root CA
-----BEGIN CERTIFICATE-----
MIICWjCCAeCgAwIBAgIUWzz0SEaOZoMhp5009wskWigyaI0wCgYIKoZIzj0EAwIw
QzELMAkGA1UEBhMCREUxFDASBgNVBAoMC1N3aXNzYml0IEFHMR4wHAYDVQQDDBVT
d2lzc2JpdCBGSURPIFJvb3QgQ0EwHhcNMjMwNDE4MTQ0ODU3WhcNNDMwNDEzMTQ0
ODU3WjBjMQswCQYDVQQGEwJERTEUMBIGA1UECgwLU3dpc3NiaXQgQUcxGjAYBgNV
BAMMEWlTaGllbGQgS2V5IEZJRE8yMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0
dGVzdGF0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG3DZzF7lF8CSOCwy
rwDBrpIVseYVge9hGcP/F4joSiOAW4vB8U7hIxENQJb4vPPnpF221tpW8i7b7V+6
yxlqQKOBkTCBjjB+BgNVHSMEdzB1gBTfxzg8GGzYAidKL63uhSiraXJIKKFHpEUw
QzELMAkGA1UEBhMCREUxFDASBgNVBAoMC1N3aXNzYml0IEFHMR4wHAYDVQQDDBVT
d2lzc2JpdCBGSURPIFJvb3QgQ0GCFDpJlN+SInF6FT4378KRuzDerRz1MAwGA1Ud
EwEB/wQCMAAwCgYIKoZIzj0EAwIDaAAwZQIxAKn59+67XO01qmAM2zBa7N4UKQhX
4gKqb+r8Ox+EqfXBdlcs/KS+fyTeZJtJeJUA7gIwe8rppEFvVHjUJKrIPPOyC+Jm
+ypDp6wbRCNDjwDqjN8qYc1Z6MDIK9OdLLk07a6G
-----END CERTIFICATE----- Subject: C=US, ST=North Carolina, O=CryptoTrust, OU=Authenticator Attestation, CN=crp.to/emailAddress=in...@crp.to
Issuer: C=US, ST=North Carolina, O=CryptoTrust, OU=Root CA, CN=crp.to/emailAddress=in...@crp.to
-----BEGIN CERTIFICATE-----
MIICzzCCAnWgAwIBAgIBADAKBggqhkjOPQQDAjB7MQswCQYDVQQGEwJVUzEXMBUG
A1UECAwOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoMC0NyeXB0b1RydXN0MRAwDgYD
VQQLDAdSb290IENBMQ8wDQYDVQQDDAZjcnAudG8xGjAYBgkqhkiG9w0BCQEWC2lu
Zm9AY3JwLnRvMCAXDTE5MDgwOTEyMjYwOFoYDzIwNjkwNzI3MTIyNjA4WjCBjTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKDAtD
cnlwdG9UcnVzdDEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEP
MA0GA1UEAwwGY3JwLnRvMRowGAYJKoZIhvcNAQkBFgtpbmZvQGNycC50bzBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABHgHZhDPWwUHldK2Ql1OrfBlNAqQyKqKYhPb
laBLDJX8go8t+Et53T7p8AIopozoYhVOO6nmhGAtdXbdnZosTGqjgdQwgdEwHQYD
VR0OBBYEFNugZ2NjxPf1ce0Agg+S02VldodIMIGXBgNVHSMEgY8wgYyhf6R9MHsx
CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEUMBIGA1UECgwL
Q3J5cHRvVHJ1c3QxEDAOBgNVBAsMB1Jvb3QgQ0ExDzANBgNVBAMMBmNycC50bzEa
MBgGCSqGSIb3DQEJARYLaW5mb0BjcnAudG+CCQClhXtGMlrm4TAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIE8DAKBggqhkjOPQQDAgNIADBFAiEApWqSUGqYGCHlmzwudlLJ
ztG0D5YpvDyJHSQVibP/kzYCIDnddDX9i+84HsON5T90zWiwdxhBhKJAj1goG6gX
Fbcy
-----END CERTIFICATE----- Subject: C=US, ST=CA, L=San Jose, O=Synaptics, Inc., OU=Authenticator Attestation, CN=Synaptics
Issuer: C=US, ST=CA, L=San Jose, O=Synaptics, Inc., OU=PCD, CN=Synaptics CA/emailAddress=cert-au...@synaptics.com
-----BEGIN CERTIFICATE-----
MIICAzCCAaoCAgrwMAoGCCqGSM49BAMCMIGZMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMRgwFgYDVQQKDA9TeW5hcHRpY3MsIElu
Yy4xDDAKBgNVBAsMA1BDRDEVMBMGA1UEAwwMU3luYXB0aWNzIENBMSswKQYJKoZI
hvcNAQkBFhxjZXJ0LWF1dGhvcml0eUBzeW5hcHRpY3MuY29tMCAXDTIwMDkyNDAw
MDAwNVoYDzIwNTAwOTI0MDAwMDA1WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwC
Q0ExETAPBgNVBAcMCFNhbiBKb3NlMRgwFgYDVQQKDA9TeW5hcHRpY3MsIEluYy4x
IjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xEjAQBgNVBAMMCVN5
bmFwdGljczBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB6pL6xwL3kRPQcARmZ+
WhEAo74gv0AvA3SSbmG+egV13CH1iipRS5gQlR54UVg+aneOA3v/6PGt/W5QBO/h
JwswCgYIKoZIzj0EAwIDRwAwRAIgElrgvYSEeQ6J3NbD6tEydCEB41CeZloXnDW4
D6vwABoCICHJRwe8ZjtgGtr+6qh8f80+JKGJJcWLHUTJpYB2+iv/
-----END CERTIFICATE-----
Do these key vendors received FIDO2 certification?
Issuer: C=DE, O=Swissbit AG, CN=Swissbit FIDO Root CA
-----BEGIN CERTIFICATE-----
MIICWjCCAeCgAwIBAgIUWzz0SEaOZoMhp5009wskWigyaI0wCgYIKoZIzj0EAwIw
QzELMAkGA1UEBhMCREUxFDASBgNVBAoMC1N3aXNzYml0IEFHMR4wHAYDVQQDDBVT
d2lzc2JpdCBGSURPIFJvb3QgQ0EwHhcNMjMwNDE4MTQ0ODU3WhcNNDMwNDEzMTQ0
ODU3WjBjMQswCQYDVQQGEwJERTEUMBIGA1UECgwLU3dpc3NiaXQgQUcxGjAYBgNV
BAMMEWlTaGllbGQgS2V5IEZJRE8yMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0
dGVzdGF0aW9uMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEG3DZzF7lF8CSOCwy
rwDBrpIVseYVge9hGcP/F4joSiOAW4vB8U7hIxENQJb4vPPnpF221tpW8i7b7V+6
yxlqQKOBkTCBjjB+BgNVHSMEdzB1gBTfxzg8GGzYAidKL63uhSiraXJIKKFHpEUw
QzELMAkGA1UEBhMCREUxFDASBgNVBAoMC1N3aXNzYml0IEFHMR4wHAYDVQQDDBVT
d2lzc2JpdCBGSURPIFJvb3QgQ0GCFDpJlN+SInF6FT4378KRuzDerRz1MAwGA1Ud
EwEB/wQCMAAwCgYIKoZIzj0EAwIDaAAwZQIxAKn59+67XO01qmAM2zBa7N4UKQhX
4gKqb+r8Ox+EqfXBdlcs/KS+fyTeZJtJeJUA7gIwe8rppEFvVHjUJKrIPPOyC+Jm
+ypDp6wbRCNDjwDqjN8qYc1Z6MDIK9OdLLk07a6G
-----END CERTIFICATE----- Subject: C=US, ST=North Carolina, O=CryptoTrust, OU=Authenticator Attestation, CN=crp.to/emailAddress=in...@crp.to
Issuer: C=US, ST=North Carolina, O=CryptoTrust, OU=Root CA, CN=crp.to/emailAddress=in...@crp.to
-----BEGIN CERTIFICATE-----
MIICzzCCAnWgAwIBAgIBADAKBggqhkjOPQQDAjB7MQswCQYDVQQGEwJVUzEXMBUG
A1UECAwOTm9ydGggQ2Fyb2xpbmExFDASBgNVBAoMC0NyeXB0b1RydXN0MRAwDgYD
VQQLDAdSb290IENBMQ8wDQYDVQQDDAZjcnAudG8xGjAYBgkqhkiG9w0BCQEWC2lu
Zm9AY3JwLnRvMCAXDTE5MDgwOTEyMjYwOFoYDzIwNjkwNzI3MTIyNjA4WjCBjTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRQwEgYDVQQKDAtD
cnlwdG9UcnVzdDEiMCAGA1UECwwZQXV0aGVudGljYXRvciBBdHRlc3RhdGlvbjEP
MA0GA1UEAwwGY3JwLnRvMRowGAYJKoZIhvcNAQkBFgtpbmZvQGNycC50bzBZMBMG
ByqGSM49AgEGCCqGSM49AwEHA0IABHgHZhDPWwUHldK2Ql1OrfBlNAqQyKqKYhPb
laBLDJX8go8t+Et53T7p8AIopozoYhVOO6nmhGAtdXbdnZosTGqjgdQwgdEwHQYD
VR0OBBYEFNugZ2NjxPf1ce0Agg+S02VldodIMIGXBgNVHSMEgY8wgYyhf6R9MHsx
CzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEUMBIGA1UECgwL
Q3J5cHRvVHJ1c3QxEDAOBgNVBAsMB1Jvb3QgQ0ExDzANBgNVBAMMBmNycC50bzEa
MBgGCSqGSIb3DQEJARYLaW5mb0BjcnAudG+CCQClhXtGMlrm4TAJBgNVHRMEAjAA
MAsGA1UdDwQEAwIE8DAKBggqhkjOPQQDAgNIADBFAiEApWqSUGqYGCHlmzwudlLJ
ztG0D5YpvDyJHSQVibP/kzYCIDnddDX9i+84HsON5T90zWiwdxhBhKJAj1goG6gX
Fbcy
-----END CERTIFICATE----- Subject: C=US, ST=CA, L=San Jose, O=Synaptics, Inc., OU=Authenticator Attestation, CN=Synaptics
Issuer: C=US, ST=CA, L=San Jose, O=Synaptics, Inc., OU=PCD, CN=Synaptics CA/emailAddress=cert-au...@synaptics.com
-----BEGIN CERTIFICATE-----
MIICAzCCAaoCAgrwMAoGCCqGSM49BAMCMIGZMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExETAPBgNVBAcMCFNhbiBKb3NlMRgwFgYDVQQKDA9TeW5hcHRpY3MsIElu
Yy4xDDAKBgNVBAsMA1BDRDEVMBMGA1UEAwwMU3luYXB0aWNzIENBMSswKQYJKoZI
hvcNAQkBFhxjZXJ0LWF1dGhvcml0eUBzeW5hcHRpY3MuY29tMCAXDTIwMDkyNDAw
MDAwNVoYDzIwNTAwOTI0MDAwMDA1WjB/MQswCQYDVQQGEwJVUzELMAkGA1UECAwC
Q0ExETAPBgNVBAcMCFNhbiBKb3NlMRgwFgYDVQQKDA9TeW5hcHRpY3MsIEluYy4x
IjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xEjAQBgNVBAMMCVN5
bmFwdGljczBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABB6pL6xwL3kRPQcARmZ+
WhEAo74gv0AvA3SSbmG+egV13CH1iipRS5gQlR54UVg+aneOA3v/6PGt/W5QBO/h
JwswCgYIKoZIzj0EAwIDRwAwRAIgElrgvYSEeQ6J3NbD6tEydCEB41CeZloXnDW4
D6vwABoCICHJRwe8ZjtgGtr+6qh8f80+JKGJJcWLHUTJpYB2+iv/
-----END CERTIFICATE-----
Do these key vendors received FIDO2 certification?
Regards
Jozef Wadowski
My1
Aug 11, 2023, 9:17:25 AM8/11/23
to FIDO Dev (fido-dev), Ziutek Wadowski
I would say if this is a system targeting end users, certificates shouldnt be enforced, aside from newer keys that might even be certified but not in the Metadata service (Solo 2 was for months or maybe even still is affected), and also if users can be expected to use phone-based Passkeys Attestation is dying off too.
enforcing is usually good if it's internal and you really want to restrict the types of FIDO2 Devices.
Regards
My1
Reply all
Reply to author
Forward
0 new messages