I am developing a FIDO applet (java card). Once the attestation certificate and its keys are burnt in the card/device, what happens if the certificate comme to expiration date? For now, for testing, the expiration of my 'child' certificate is set to 15 years expiration date.
If the user keeps the FIDO card that long, how should I deal with an expired attestation certificate / keys, on card ? Same question if the certificate get revoked.
- Should I implement a mechanism (as secure as possible) to allow update of the attestation certificate and keys on card ? That could be a security issue, isn't it ? Any recommandation ? May I have missed something in documentation ?
- Should I generate a certificate with no expiration date ? Anyway it would not solve a potential revocation of the certificate.