FIDO2 token metadata (Yubikey, Octatco)

[Au Yong Jin Yoo]

Hi All,

Currentl was developing fido2 server for internal system, current stage have develop webauthn demo to test the backend API. For testing purpose, we have purchase few FIDO2 token from different brand which is :-

 - yubikey 5 nfc 

- ezfinger 2

 - solokeys

 - FT bio pass 

Understand to use the token, we need to import the token metadata from fido MDS2. I have get the TOC file and extract the jwt token, then base on the URL get all the metadata that register under MDS2. But i still having issue in my testing with purchased token.

So far i only manage to use FT bio pass, when try using yubiley 6 and ezfinger 2 is have error on the certificate verification. So the root cause is my fido2 server does not have the metadata info for the yubikey and ezfinger.

May i know how i suppose to get the metadata ? Or i understand in the wrong way ? 

Really need help on this. Thanks in advance. 

[Alex Seigler]

It is not required and so not all vendors choose to list their products in the MDS2 database. In that case you must get the data from the vendor directly. For example Yubico publishes their root here: https://developers.yubico.com/U2F/yubico-u2f-ca-certs.txt and SoloKeys publishes a metadata statement here: https://raw.githubusercontent.com/solokeys/solo/master/metadata/Solo-FIDO2-CTAP2-Authenticator.json.

-aseigler

Sent via the Samsung Galaxy S10+, an AT&T 5G Evolution capable smartphone

Get Outlook for Android

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Au Yong Jin Yoo <auyong...@gmail.com>
Sent: Thursday, October 10, 2019 5:50:05 AM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] FIDO2 token metadata (Yubikey, Octatco)

 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/84c02409-781a-4ed6-ab0e-bf63845754e6%40fidoalliance.org.

[Au Yong Jin Yoo]

Hi Alex,

I understand is not mandatory to list it to MDS2 db. I able to get the solokeys as well. 

For yubikey, is was not metadata statement like what i get from the MDS2. Do you mind share how it can convert it to standard metadata statement like aaguid and etc. ?

Sorry to ask dumb question, i'm new in FIDO2 and try to understand as i can. Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.

[Alex Seigler]

In that case you have to collect available data and piece it together for use. You can get the Yubico AAGUIDs from here: https://support.yubico.com/support/solutions/articles/15000014219-yubikey-5-series-technical-manual#AAGUID_Valuesgihceu

This is how I handled this situation: https://github.com/abergs/fido2-net-lib/blob/6a8287458dfc79daaa201ff5cb9e1ca9643fe356/Src/Fido2/Metadata/StaticMetadataRepository.cs#L65

-aseigler

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Au Yong Jin Yoo <auyong...@gmail.com>

Sent: Thursday, October 10, 2019 6:32:29 AM

To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>

Cc: auyong...@gmail.com <auyong...@gmail.com>
Subject: Re: [FIDO-DEV] FIDO2 token metadata (Yubikey, Octatco)

 

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4b494e35-9015-4917-b6d4-56150ef0180b%40fidoalliance.org.