Re: [FIDO-DEV] Digest for fido-dev@fidoalliance.org - 11 updates in 6 topics

17 views
Skip to first unread message

Perla nallely Guadalupe Alejandre Ramón

unread,
Nov 24, 2022, 12:57:43 AM11/24/22
to FIDO Dev (fido-dev)
Buenas noches como ustedes quieren que trabaje si no ven lo que me están haciendo con mi documentación y eso es algo que no les pertenece como piden algo que ustedes no ofrecen como quieren que yo arregle lo que ustedes hacen yo porque tengo que  confiar en ustedes y ustedes no confían en mí esa documentación no les pertenece y no pienso trabajar para que ustedes gasten me dan lo que es mío y hacemos un acuerdo legal porque miren todo lo que hacen y quieren que trabaje si ustedes no tienen gastos no comen yo sí por eso trabajo pero no para que ustedes gasten y mientras no puedo disponer de mi dinero que ya lo gane porque ustedes lo tienen retenido 

El mié., 23 de noviembre de 2022 4:58 p. m., <fido...@fidoalliance.org> escribió:
Jo Stevens <jo.st...@rocksolidknowledge.com>: Nov 23 09:13AM -0800

Hi Guys, I hope this is the right forum for this.
 
I'm running through the Fido Server Conformance tools and I've got one
failing test
 
Server-ServerAuthenticatorAttestationResponse-Resp-5 Test server processing
"packed" FULL attestation
 
F-10 Send ServerAuthenticatorAttestationResponse with FULL "packed"
attestation, with attStmt.x5c containing full chain, and check that server
returns an error
 
The test passes where it should fail.
 
Could someone help explain why this should fail? A Full attestation means
it requires a chain and a full chain means to me it's a valid chain. Very
difficult to isolate and debug any of these tests so I'm a little stuck.
 
Thanks,
Jo
Shane Weeden <shane....@gmail.com>: Nov 24 05:16AM +1000

I am aware of this test and personally think the test case is overly restrictive and wrong. That said, I believe I can at least explain what is happening.
 
According to section 6.1 of https://datatracker.ietf.org/doc/html/rfc5280:
"A certificate MUST NOT appear more than once in a prospective
certification path."
 
In that test case, the rootCA is included in the x5c of the attestation response. You then try find a trust root from matching metadata.My understanding is that the test authors believe this constitutes a duplicate certificate in the certification path because the CA appears twice at the end.
 
Clearly the authors of the Java certificate validation code I am using don’t think so, because if you take a trust chain that includes a CA, and match it against a copy of that CA, then it works without error.
Similarly if you take a self-signed cert you can do the same thing.
 
Anyway, that’s what I believe is happening.
 
Regards,
Shane.
 
 
 
 
Kevin Goldman <goldma...@gmail.com>: Nov 23 09:36AM -0800

Hi All,
 
I see Apple listed in this grid as supporting conditional UI / autofill
here: https://passkeys.dev/device-support/
 
Yet, iOS doesn't seem to have enabled it in the public release of the
browsers. Is this chart accurate? https://passkeys.dev/device-support/
 
- Kevin Goldman
Tim Cappalli <Tim.Ca...@microsoft.com>: Nov 23 05:39PM

Yep, the matrix is accurate.
 
[cid:467fc577-b37f-48b3-83b6-132e240db920]
 
tim
________________________________
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Kevin Goldman <goldma...@gmail.com>
Sent: Wednesday, November 23, 2022 12:36
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Conditional UI (auto-fill)
 
Hi All,
 
I see Apple listed in this grid as supporting conditional UI / autofill here: https://passkeys.dev/device-support/
 
Yet, iOS doesn't seem to have enabled it in the public release of the browsers. Is this chart accurate? https://passkeys.dev/device-support/
 
- Kevin Goldman
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/6a95cda0-a0ad-42d7-b456-9c70b93de54fn%40fidoalliance.org<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Ffidoalliance.org%2Fd%2Fmsgid%2Ffido-dev%2F6a95cda0-a0ad-42d7-b456-9c70b93de54fn%2540fidoalliance.org%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Ctim.cappalli%40microsoft.com%7C5e619eb0ffde4a56f4a108dacd794aa9%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638048218098533773%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzI iLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=DDWG%2F%2FyDGsGzqrIjrJ%2F55PYzQ3TuLBh%2BureuNGdedy0%3D&reserved=0>.
Steven li <changa...@gmail.com>: Nov 22 07:12PM -0800

Hi guys,
 
I have some questions to ask
1. If the USB authenticator supports both CTAP2.1 and CTAP2.0, does it also
need to support CTAP2.1_PRE?
 
2. In the conformance tool of CTAP2.1_PRE, are there any test items that
can be verified?
 
 
Thanks,
Steven
Ackermann Yuriy <ackerma...@gmail.com>: Nov 23 03:34PM +0900

CTAP2.1 PRE is a compatibility flag that specifies that device supports
experimental bioenroll and/or credmanapi
 
The CTAP2.1 conformant device may advertise PRE as well so long it supports
bioenroll and credmanapi on the experimental HID cmds.
 
1. No. It does not have to, but it is adviced.
 
2. FIDO does not explicitly tests PRE as this is informal spec. But if you
do CTAP2.1 certification then you will have bioenroll/credmanapi tested
 
 
--
Yuriy Ackermann
FIDO, Identity, Standards
skype: ackermann.yuriy
github: @herrjemand <https://github.com/herrjemand>
twitter: @herrjemand <https://twitter.com/herrjemand>
medium: @herrjemand <https://medium.com/@herrjemand>
Steven li <changa...@gmail.com>: Nov 23 01:36AM -0800

Hi Ackermann,
 
Thank you for your prompt reply.
 
Steven
 
Ackermann Yuriy 在 2022年11月23日 星期三下午2:34:40 [UTC+8] 的信中寫道:
 
hetin k <het...@gmail.com>: Nov 23 11:08AM +0530

Thank you all.
 
As Negras <negra...@gmail.com>: Nov 23 05:40AM

Gaukite „Outlook“, skirta „Android“<https://aka.ms/AAb9ysg>
________________________________
From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of hetin k <het...@gmail.com>
Sent: Wednesday, November 23, 2022 7:38:38 AM
To: My1 <teamhyd...@gmail.com>
Cc: Emil Lundberg <em...@yubico.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Tim Cappalli <Tim.Ca...@microsoft.com>
Subject: Re: [FIDO-DEV] Case of stolen device and same key by muliple user
 
Thank you all.
 
On Wed, 23 Nov 2022 at 02:52, My1 <teamhyd...@gmail.com<mailto:teamhyd...@gmail.com>> wrote:
I would also add the date of creation AND last use, in order to prevent any swaparound ideas (e.g. deleting an existing Key and adding a new one under the same name.
 
Also a notification if anything is changed on the security key side can also be a good option.
 
While maybe not fool proof there are ways. for example FIDO is generally associated with 2FA, be that a password on the Site, or plain and simple UV for the token.
 
@tim I dont think you even need credprotect on that front as long as the site makes sure there's SOME SORT of second factor involved.
 
I mean no matter what credprotect states, if the site forces a password, or even better just UV, the attacker wont get in, without having that.
 
Regards
My1
 
> does stolen device case come under threat model of security key? Does relying party has any concern over stolen device?
 
Yes, the user needs to protect their security key from theft much like they would protect a password or house key. RPs should allow users to add and remove security keys at any time so the user can "revoke" keys they've lost. Ideally, RPs should also allow users to set nicknames for their keys to help keep track of which is which.
 
>is it legitimate to use same key by multiple user? does standard has any guidelines regarding this or it is based on relying party policy?
 
Yes, it is legitimate - both using the same authenticator for multiple accounts, and multiple persons using the same authenticator with a shared account. If the authenticator is well-behaved, the RP cannot tell whether it is being used with multiple accounts or by multiple persons.
 
 
Emil Lundberg
 
Software Engineer | Yubico<http://www.yubico.com/>
 
 
 
On Tue, Nov 22, 2022 at 2:52 PM hetin k <het...@gmail.com<mailto:het...@gmail.com>> wrote:
Hi all,
 
does stolen device case come under threat model of security key? Does relying party has any concern over stolen device?
 
is it legitimate to use same key by multiple user? does standard has any guidelines regarding this or it is based on relying party policy?
 
Thanks
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8f4b49cd-91ed-4bac-a631-dbe6cc8a76cbn%40fidoalliance.org<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8f4b49cd-91ed-4bac-a631-dbe6cc8a76cbn%40fidoalliance.org?utm_medium=email&utm_source=footer>.
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkwQdcDQFmkpndozfmgUhcwY0Te%3DT%3D9_72B6oGM9_2RYFw%40mail.gmail.com<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CANMnvkwQdcDQFmkpndozfmgUhcwY0Te%3DT%3D9_72B6oGM9_2RYFw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
 
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org<mailto:fido-dev+u...@fidoalliance.org>.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAL-7hFQfev-MybWSfA%3DhYP2G5Hb89TGTPXVobNRorQD1XXdiUw%40mail.gmail.com<https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAL-7hFQfev-MybWSfA%3DhYP2G5Hb89TGTPXVobNRorQD1XXdiUw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
"Perla nallely Guadalupe Alejandre Ramón" <nallelyale...@gmail.com>: Nov 22 08:36PM -0600

Este es un PDF bajado de Chrome beta donde se pidió un préstamo de 26
millones de dólares cuando nunca llegó la tarjeta de mi aplicación de sping
Oxxo el dinero no aparece según ise una compra en la madrugada cuando me
autorizaron la disponibilidad de mi dinero ise una transferencia de mi
wallet en mercado pago tampoco aparece en mi tarjeta de banjercito metí el
enlace y dice que borre mi cuenta y desconecto mi Chrome beta el dinero en
los bancos no está a nombre mio y si an gastado dinero de las cuentas
robaron mi identidad todas esas foto capturas las tengo sinceramente busco
soluciones inmediatas yo creo que arrebaso los límites faltan los demás
pero se los mando conozco mis derechos me aprendí los artículos militares
ya que mi esposo trai los libros y gracias a eso aprendí 17 auditorías me
isieron y me quitaron dinero entre mis investigaciones recopile sus fraudes
sus asuntos ilícitos y los abusos amenazas que le an hecho a otras personas
y todavía quiere el 50% de mis ganancias que no los puedo mal recomendar ni
hablar mal de ellos pero ellos si pueden hablar mal de mi pues cuando
ingresé a mi data españa poco les faltó y me golpean son 17 años que le han
sacado un excelente provecho para que me diga ratera y que avía agarrado lo
que no es mío yo lo siento mucho pero creo estás son cosas que no puedo
callar y las personas deben saber gracias a Dios que soy una ignorante sin
título pero no tengo ni antecedentes penales no robo a nadie y con mucho
orgullo digo mi dinero es limpio sin perjudicar a nadie el fraude es un
delito mayor y la estafa es mucho más grabe ya que es internacional la
estorción tecnológica el robo de datos firma he identidad y no pienso
quedarme callada además no verifican mi cuenta porque tendría que hacer una
rueda de prensa y no les conviene independientemente s 👍🏻e iso pasar por
las autoridades federales IRS etc y todavía sigue bloqueando mi cuenta y
tal vez si soy ratera pero mi mamá dice que ladrón que roba ladrón tiene
mil años de perdón y más cuando es para hacer cosas buenas ahora así como
exigen nesesito soluciones inmediatas
"Perla nallely Guadalupe Alejandre Ramón" <nallelyale...@gmail.com>: Nov 22 04:59PM -0600

Disculpe si tal vez crea que soy grosera hasta me duele mi cabeza cambiando
la contraseña y cuando pienso que ya tendré acceso más demoro en salir que
ellos en volver a cambiarla somos personas adultas y tienen más educación
que yo creo también tienen más entendimiento se que he sido grosera pero
también lo fueron ellos conmigo les pido disculpas deben entender que su
comportamiento solo complica más está situación
 
El lun., 21 de noviembre de 2022 4:58 p. m., <fido...@fidoalliance.org>
escribió:
 
You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page.
To unsubscribe from this group and stop receiving emails from it send an email to fido-dev+u...@fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages