interoperability testing requirements

44 views
Skip to first unread message

Luis Eguizabal

unread,
Oct 30, 2024, 4:10:06 PMOct 30
to FIDO Dev (fido-dev)
Hey guys,

In my effort to understand the requirement to meet the interoperability testing, I'm a bit confused...

I understand that no documents are necessary for interoperability testing but instead all functions are to be demonstrated during the interoperability event.

However, looking at the security requirements, number 1.4 it states that...
https://fidoalliance.org/specs/fido-security-requirements/fido-authenticator-security-requirements-v1.5-fd-20211102.html#privacy

"The vendor SHALL document an Authenticator as a first-factor Authenticator or a second-factor Authenticator"

"Provide the Security Secretariat with a rationale of how the requirement above is met."

"At L1, in addition to the rationale provided by the vendor, this requirement MUST be demonstrated to the Test Proctor during Interoperability Testing. Documentation is not required."


As you can see, within the same requirement it states that we DO and that we DO NOT need documentation.

And in this particular requirement there is no test to be run so how do we "provide the security secretariat with a rationale of how the requirement above is met"? Do we just explain to them verbally during the event?

Sorry, i totally understand how this is probably a very basic question but is my first go at something like this and as you can see I am a bit lose. 

Thank you appreciate the help.
Luis

pa...@fidoalliance.org

unread,
Oct 30, 2024, 5:36:42 PMOct 30
to Luis Eguizabal, FIDO Dev (fido-dev)

Hi Luis,

 

The current FIDO Certification program for authenticators includes the following (high-level) steps to certification. 

 

  1. Conformance Self‐Validation, where test tools are used to validate that the implementation conforms to the FIDO specifications.
  2. Interoperability Testing, where testing is performed at a proctored event or On Demand to ensure that implementations are functional and compatible with other implementations.
  3. Authenticator Security Evaluation: All authenticators must meet additional security requirements and select at least Level (L1) Authenticator Certification.
  4. Certification Submission, where all the required documentation is submitted as a request for certification.
  5. Trademark Usage (optional). After executing the Trademark License Agreement, implementers may use the FIDO® Certified mark and logo on their product, packaging, and marketing literature.
  6. FIDO Metadata Service Registration (recommended): The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators.

 

In most cases, these steps are completed in sequential order. Note that some detailed action items affiliated with these high-level steps can be completed in tandem. When referencing FIDO Authenticator Security Requirements, you are referencing a step in the certification process following conformance and interoperability testing (also known as functional certification) during security evaluation of the authnr implementation/product component. There are multiple options (levels) to choose from for security evaluation. At Level 1, a vendor completes a self-attested vendor questionnaire that is then evaluated by the FIDO Security Secretariat and processed. The questions referenced in your post refer to this step in the certification process. FIDO Accredited Security Laboratories are involved in the security evaluation step at higher levels.     

 

I hope this helps clarify FIDO Certification.  Please contact certif...@fidoalliance.org if you have further questions.

 

Thank you,

Paul

 

Paul Heim | Certification Director | FIDO Alliance

T: +1 623-200-3994

pa...@fidoalliance.org | www.fidoalliance.org

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/340da081-31e8-43a7-9356-7cfd433f8c14n%40fidoalliance.org.

Luis Eguizabal

unread,
Oct 30, 2024, 8:24:06 PMOct 30
to FIDO Dev (fido-dev), pa...@fidoalliance.org, Luis Eguizabal

Hey Paul,

Thank you for the detailed reply. It helped a lot. I thought the  FIDO Authenticator Security Requirements had to do with the conformance self-validation and interoperability testing. Things make more sense now that you explained it. 

Thank you
Luis
Reply all
Reply to author
Forward
0 new messages