How should I handle UPDATE_AVAILABLE on MDS?

[jun inaba]

Hello,

When the authenticator is reported having 'Security Notification Statuses' and vender fix it, MDS will deliver like following example I think.

```
"statusReports": [
{
    "status": "USER_VERIFICATION_BYPASS",
    "effectiveDate": "2014-01-07"
},
{
    "status": "USER_KEY_REMOTE_COMPROMISE",
    "effectiveDate": "2014-01-07"
},
{
    "status": "UPDATE_AVAILABLE",
    "effectiveDate": "2014-02-19",
    "url": "https://example.com/update1234",
    "authenticatorVersion": 123
}
],
```

https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#info-statuses

In this case, does the statusReports field indicate that the authenticator updated to 123 fixes all of reported vulnerability(both USER_VERIFICATION_BYPASS and  USER_KEY_REMOTE_COMPROMISE)?

And can RP know the authenticator that user use over version 123 or not?
My understanding is that RP can get firmwareversion from only tpm attestation.
https://www.w3.org/TR/webauthn-3/#sctn-tpm-attestation

Can RP use the value to check the authenticator that user use is updated already?
Except for tpm, RP can't get authenticator firmwareversion that user use so RP can't control it?

Thank you,

Jun Inaba

[Ackermann Yuriy]

Firmware version is equivalent to authenticatorVersion in metadata

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/bb0cb387-0092-4061-a348-3d0f67e8dad5n%40fidoalliance.org.

--

Yuriy Ackermann

FIDO, Identity, Standards

skype: ackermann.yuriy

github: @herrjemand

twitter: @herrjemand

medium: @herrjemand

[jun inaba]

Thank you for your response.

Can I ask additional questions?

1. Does `UPDATE_AVAILABLE` status means that fixed all reported vulnerability(like USER_VERIFICATION_BYPASS) before? For example, does metadata in my first post means  `USER_VERIFICATION_BYPASS` and `USER_KEY_REMOTE_COMPROMISE` are fixed at authenticatorVersion 123?

2. Can RP know firmware version of only tpm attestation attestation at the current webauthn specification?(Can't RP know firmware version of packed or others?)

Thank you,

Jun Inaba

2022年9月12日月曜日 20:19:05 UTC+9 Ackermann Yuriy:

[John Bradley]

This part of metadata made more sense for UAF where the version is exposed to the RP and the RP or the RP’s app could trigger an update.  

Other than for some TPM attestations the FW version is not directly exposed.  

At least for Yubikey the batch certificates are rotated every 100,000 keys or when the FW version changes. 

If there were user verification bypass the dictionary entry would contain the hashes of the batch certificates impacted. 

At least that is the MDS theory. 

I don’t know if other authenticator vendors are doing the same thing for attestations. 

CTAP 2.1 also reports the FW version to the Fido client in the OS/browser.  If something critical were to happen, the browser would likely warn the user as well.  

John B. 

Sent from my iPhone

On Sep 12, 2022, at 6:45 AM, jun inaba <inabajun...@gmail.com> wrote:

Thank you for your response.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/fb924dc6-29af-4a8d-966c-13dcebb687a1n%40fidoalliance.org.