About Relying Party and FIDO Server Communication protocol

[Toufiq Mahmud]

Dear FIDO Dev,

I need help. Me and my team planning to start FIDO server and Client development. In FIDO Spec I didn't get detailed guideline about FIDO Server, how FIDO Server & RP will communicate with each other.

After reading comments in this forum, I have come to know that FIDO Server (FS) and RP can deploy in separate machine or in same machine. Actually, FS will expose some API by which RP can call.

But Problem is that how FS will identify RP is real or fake? or it is needed to identify the RP's information. cause FS only expose API. Any one can all those exposed API. I am concern about FIDO certification, that's why I asked. Please guide me if someone can.

How FS & RP will communicate? By using Https or other way (like REST, SOAP)? need to know security concern about this two entity?

Another question, I have added a sequence diagram about FIDO Registration process. Here I have found a term "RP Web Server", who return facetID list (some URL).

I'm not clear the task of RP Web Server? Is this a Container like Tomcat/JBoss/Glassfish? if yes, then how it can get information of facetID?

I'm eagerly waiting for help.

Thanks in advance.

Regards,

Toufiq 

[Fabro, Loic]

Hi Toufiq,

The FIDO specification leaves out how the RP and the FIDO server communication happens. Current trend in the tech world is to use REST APIs, but anything you want to use is fine (SOAP, proprietary protocol, etc). Of course, it is highly recommended to use a secure protocol (e.g. SSL) for the transport layer.

While this is also not explicitly mandated, it is probably a good idea to make sure that the RP identifies itself with the FIDO Server/Service so that you don’t end up with spoofed registration (or authentication requests).

In regards to the FacetID question. Think of the FacetID as a way to identify how the user is accessing the RP App. For example, Facebook (I have no relation with them) has a web and a mobile app (I.e. “two” relying party applications/interfaces likely sharing some of the backend components). Today, as an end user, when I authenticate with Facebook, I use the same credentials going through the mobile or the web application. Under the cover, the web and mobile apps are (likely) using similar but different APIs/end points. The FacetID in the FIDO world is an attempt to create a behavior/capability so that I can register once with Facebook and have my local FIDO Client handle both mobile and web Facebook application authentication requests (I.e. One workflow going through my browser, another one going through my mobile app).

Thanks,

Loic.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at http://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/272b6ef2-d96d-4d8f-9301-bb0b1f838917%40fidoalliance.org.

[Toufiq Mahmud]

Hi Loic,

Thanks for your reply. Now My query is almost clear. I'm planning for Rest API's and SSL for Transport Layer. Now I will design server Architecture. 

Thanks again.

Regards,

Toufiq Mahmud

Kona Software Lab Ltd.