Attestation certificate expiration/renewal after burnt

[Manu Pedia]

Hi,

I am developing a FIDO applet (java card). Once the attestation certificate and its keys are burnt in the card/device, what happens if the certificate comme to expiration date? For now, for testing, the expiration of my 'child' certificate is set to 15 years expiration date.
If the user keeps the FIDO card that long, how should I deal with an expired attestation certificate / keys, on card ? Same question if the certificate get revoked.

• Should I implement a mechanism (as secure as possible) to allow update of the attestation certificate and keys on card ? That could be a security issue, isn't it ?  Any recommandation ? May I have missed something in documentation ?
• Should I generate a certificate with no expiration date ? Anyway it would not solve a potential revocation of the certificate.

Thanks for your help,

Best regards

[John Bradley]

The revocation list for batch attestations is in the fido MDS.   You don't need to do anything to the authenticator.  

As an example the batch certificates in Yubikeys expire in 2050.  So there is precedent for setting a long expiry date.

At that point RP may not allow registering new credentials but they will still work for authentication.  

While a key may still be functional in that amount of time I am guessing that post quantum and other things may make continuing to use an authenticator that old unwise long before the certificate expires.

John B. 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/17643171-6723-41b5-8b1b-631dc22f3d47n%40fidoalliance.org.