Hello,
When the authenticator is reported having 'Security Notification Statuses' and vender fix it, MDS will deliver like following example I think.
```
"statusReports": [
{
"status": "USER_VERIFICATION_BYPASS",
"effectiveDate": "2014-01-07"
},
{
"status": "USER_KEY_REMOTE_COMPROMISE",
"effectiveDate": "2014-01-07"
},
{
"status": "UPDATE_AVAILABLE",
"effectiveDate": "2014-02-19",
"url": "
https://example.com/update1234",
"authenticatorVersion": 123
}
],
```
https://fidoalliance.org/specs/mds/fido-metadata-service-v3.0-ps-20210518.html#info-statusesIn this case, does the statusReports field indicate that the authenticator updated to 123 fixes all of reported vulnerability(both USER_VERIFICATION_BYPASS and USER_KEY_REMOTE_COMPROMISE)?
And can RP know the authenticator that user use over version 123 or not?
My understanding is that RP can get firmwareversion from only tpm attestation.
https://www.w3.org/TR/webauthn-3/#sctn-tpm-attestationCan RP use the value to check the authenticator that user use is updated already?
Except for tpm, RP can't get authenticator firmwareversion that user use so RP can't control it?
Thank you,
Jun Inaba