Enterprise Attestation in practice

424 views
Skip to first unread message

Raphael Moreira

unread,
Mar 31, 2022, 9:20:23 AM3/31/22
to FIDO Dev (fido-dev)
Hello,

I'm searching for guidance about enterprise attestation and the way to implement it from a manufacturer point of view.
As far as I understand it, if the relying party requests an enterprise attestation and the authenticator supports it for that relying party, the authenticator may return an enterprise attestation that contains an identifier unique to the  authenticator .
It is unclear to me where the relying party finds this identifier.
Is it the AAGUID? I thought it could be based on FIDO White Paper Choosing FIDO Authenticators for Enterprise Use Cases (fidoalliance.org), but then we lose the model identifier.
Is it expected that there is an enterprise attestation certificate per  authenticator, with a unique identifier in the certificate?

Another question about RPID list built in the authenticator. In case of "vendor-facilitated enterprise attestation", the manufacturer burns the list in each authenticator. Would we stay compliant if the list is written by an authenticator management system? The use case would be the following:
  - manufacturer provides authenticators and the management system
  - the customer configures the management system so it personnalizes the authenticators with a certain RPID list
  - the customer personnalizes the authenticator with the management system: the RPID list and the unique identifier are written on the authenticator

Thank you for your consideration

kile

unread,
Apr 13, 2022, 9:48:34 AM4/13/22
to Raphael Moreira, FIDO Dev (fido-dev)

Hello,

I also have gotten questions below.

is it supposed to use per-authenticator aaguid for enterprise attestation and per-model aaguid for non-enterprise attestation ?

Raphael did you get the answer ? or anybody help ?

Thank you.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/da1bacaa-8475-4a80-8f37-b1e81769ae0an%40fidoalliance.org.

Raphaël Moreira

unread,
Apr 13, 2022, 9:56:43 AM4/13/22
to FIDO Dev (fido-dev), kil...@gmail.com, rmor...@hidglobal.com
Hello,

You are the first person to react on my post, so no, I have no answer for now, but I still hope!

Regards

Arshad Noor

unread,
Apr 15, 2022, 12:41:15 PM4/15/22
to Raphael Moreira, FIDO Dev (fido-dev)

Hi Raphael,

The whole point of enterprise attestation is to leave it sufficiently vague - yet flexible - to allow enterprises to choose whatever security policy/process they want when registering FIDO Authenticators for enterprise use-cases. This implies:

  1. That the enterprise can choose that a specific certificate chain be used for enterprise attestation, including that the enterprise dynamically generate the certificate chain at the registration time;
  2. That the enterprise may use its own PKI or specify very controlled requirements for the vendor's PKI that engenders trust in the registration and attestation;
  3. That the enterprise can supply a unique AAGUID as part of the identification & verification (I&V) process,which must be used by the Authenticator;
  4. Etc.

The FIDO attestation is primarily intended to provide an in-band mechanism for the RP to determine how much trust it can establish for a specific Authenticator based on extraneous data the attestation provides. The enterprise attestation is merely a vehicle to allow enterprises to choose their own extraneous data. The specific mechanics need to be worked out between the RP and the vendor prior to the FIDO deployment, and will almost certainly be unique for each enterprise.

This is not unlike a PKI. Anyone that has solid PKI and FIDO experience can provide all the necessary information and controls to make this work.

Hope this helps.

Arshad Noor
StrongKey

Arshad Noor

unread,
Apr 15, 2022, 12:46:15 PM4/15/22
to kile, FIDO Dev (fido-dev)

Very likely. The whole point of enterprise attestation is that there is NO privacy - the enterprise needs to know precisely:

  • WHO is registering?
  • WHAT I&V process was used to validate the identity of the user?
  • WHAT Authenticator is being used to register?
  • HOW can that Authenticator be uniquely identified now and in the future?
  • WHAT guarantee does the Authenticator provide to assure the enterprise that they can trust all of the above?

The standard WebAuthn/FIDO protocols are for the masses; enterprise use of FIDO is no different from a PKI - just uses the FIDO protocols instead of TLS ClientAuth. Once you figure that out, everything else becomes simple.

Arshad Noor
StrongKey

On 4/13/22 6:48 AM, kile wrote:

Hello,

I also have gotten questions below.

is it supposed to use per-authenticator aaguid for enterprise attestation and per-model aaguid for non-enterprise attestation ?

Raphael did you get the answer ? or anybody help ?

Thank you.

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.

Kile

unread,
Apr 16, 2022, 7:40:44 AM4/16/22
to FIDO Dev (fido-dev), Arshad Noor
Thank you for your reply.
Kile
Reply all
Reply to author
Forward
0 new messages