AAGIUD value

82 views
Skip to first unread message

Baljeet Sandhu

unread,
Dec 8, 2021, 3:03:20 PM12/8/21
to FIDO Dev (fido-dev)
Hello group

Looking for some clarification, cant find in the spec

During attestation:
When "attestation": "direct" is set and
Attestation type is one of (packed, TPM, Android SafetyNet)

Is the authenticator mandated to supply a non zero AAGUID? 

Thank you
Baljeet

Philipp Junghannß

unread,
Dec 8, 2021, 3:17:08 PM12/8/21
to Baljeet Sandhu, FIDO Dev (fido-dev)
honestly not sure, is the AAGUID supposed to be supplied by the FIDO alliance or do makers just spin up the RNG and hope for the best?
because in the former case the Authenticator couldnt have a AAGUID if the maker didnt go through the alliance.

in the latter case however I could reasonably think that you must bring an AAGUID

This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended to be for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is prohibited.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/e55a02bb-b06d-45bc-9afa-f511b66bdc7an%40fidoalliance.org.

Adam Langley

unread,
Dec 8, 2021, 7:14:42 PM12/8/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), baljeet...@hypr.com
On Wednesday, December 8, 2021 at 12:17:08 PM UTC-8 My1 wrote:
honestly not sure, is the AAGUID supposed to be supplied by the FIDO alliance or do makers just spin up the RNG and hope for the best?
because in the former case the Authenticator couldnt have a AAGUID if the maker didnt go through the alliance.

in the latter case however I could reasonably think that you must bring an AAGUID

AAGUIDs are randomly generated. A device must have one; it's required in the protocol. At the WebAuthn level the field might be replaced with zeros, but that's not a CTAP2 concept. At the CTAP2 level, if you don't want to return an attestation that is rooted in an external authority then a `self` attestation should be returned.


Cheers

AGL

Baljeet Sandhu

unread,
Dec 8, 2021, 8:52:03 PM12/8/21
to FIDO Dev (fido-dev), alan...@gmail.com, My1, FIDO Dev (fido-dev), Baljeet Sandhu
Thank you.

Is this mentioned somewhere in the spec? 
It says NONE attestation can have 0'ed AAIDs but I cant find a statement for Packed attestation.

Adam Langley

unread,
Dec 9, 2021, 12:49:24 PM12/9/21
to FIDO Dev (fido-dev), baljeet...@hypr.com, Adam Langley, My1, FIDO Dev (fido-dev)
On Wednesday, December 8, 2021 at 5:52:03 PM UTC-8 baljeet...@hypr.com wrote:
Thank you.

Is this mentioned somewhere in the spec? 
It says NONE attestation can have 0'ed AAIDs but I cant find a statement for Packed attestation.

CTAP doesn't seem to have an opinion on this, which it probably should, but WebAuthn says:

"Additionally, each authenticator has an AAGUID, which is a 128-bit identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID MUST be chosen by the manufacturer to be identical across all substantially identical authenticators made by that manufacturer, and different (with high probability) from the AAGUIDs of all other types of authenticators. The AAGUID for a given type of authenticator SHOULD be randomly generated to ensure this."


Cheers

AGL

Gastón Axel Lacuesta

unread,
Dec 11, 2021, 7:04:06 AM12/11/21
to FIDO Dev (fido-dev), alan...@gmail.com, baljeet...@hypr.com, My1, FIDO Dev (fido-dev)

Hello. Making my first little contribution in this group, hope this helps.

During FIDO Server 2.0 certification testing there's a test in attestation/result that asks for AAGUID to be 0x000 and if it's not 0x00 then asks the FIDO 2.0 Server to return a failure in this case.
Reply all
Reply to author
Forward
0 new messages