FID2 Conformance Test for exclude list
52 views
Skip to first unread message
YoHidden
Jul 12, 2024, 9:27:04 AM (4 days ago) Jul 12
to FIDO Dev (fido-dev)
Hi,
I'm implementing a FIDO2 authenticator in an smartcard. It works ok against various authentication webs and now I am running the Conformance Test tools supplied by the FIDO Alliance.
To make a more efficient use of the internal resources, the device is set up to use non-discoverable credentials and to not maintain any state. Also, a random element has been added to the making of the credential id so even with the same input parameters the generated credential id will be different.
However, when running the Conformance Test tool, this generates the following attempt:
F-7 [TODO] Send CTAP2 authenticatorMakeCredential(0x01) message, with "excludeList" that contains "PublicKeyCredentialDescriptor" with "id" set to the ID of the previously registered authenticator, wait for the response, and check that Authenticator returns an error
If the device is not using discoverable credentials, does it make any sense this test? SInce the device is not keeping any state about the non-discoverable generated credentials, there's no way for it to detect a previously generated credential, for a certain site. What am I missing here ?
And, if I'm correct in the doing... how can I bypass this test in order to run conformance successfully?
Thanks in advance for any light you may bring to me for this.
I'm implementing a FIDO2 authenticator in an smartcard. It works ok against various authentication webs and now I am running the Conformance Test tools supplied by the FIDO Alliance.
To make a more efficient use of the internal resources, the device is set up to use non-discoverable credentials and to not maintain any state. Also, a random element has been added to the making of the credential id so even with the same input parameters the generated credential id will be different.
However, when running the Conformance Test tool, this generates the following attempt:
F-7 [TODO] Send CTAP2 authenticatorMakeCredential(0x01) message, with "excludeList" that contains "PublicKeyCredentialDescriptor" with "id" set to the ID of the previously registered authenticator, wait for the response, and check that Authenticator returns an error
If the device is not using discoverable credentials, does it make any sense this test? SInce the device is not keeping any state about the non-discoverable generated credentials, there's no way for it to detect a previously generated credential, for a certain site. What am I missing here ?
And, if I'm correct in the doing... how can I bypass this test in order to run conformance successfully?
Thanks in advance for any light you may bring to me for this.
Paul Heim
Jul 12, 2024, 10:02:24 AM (4 days ago) Jul 12
to YoHidden, FIDO Dev (fido-dev), [Certification] Conformance Tools ISSUES Group
Hi,
FIDO Certification will follow-up to this inquiry soon.
Paul
Paul Heim | Certification Director | FIDO Alliance
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f813ca67-09d5-4ef0-b6b5-5f080996cf62n%40fidoalliance.org.
Just Niko
Jul 12, 2024, 12:12:04 PM (3 days ago) Jul 12
to Paul Heim, YoHidden, FIDO Dev (fido-dev), [Certification] Conformance Tools ISSUES Group
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAOJczb9_6WpSTqxAbtsDY_%2B_V8vis2UVfbeEWP1Zo9JNdgsupg%40mail.gmail.com.
Illia Irachek
Jul 12, 2024, 2:52:47 PM (3 days ago) Jul 12
to FIDO Dev (fido-dev), Just Niko, YoHidden, FIDO Dev (fido-dev), [Certification] Conformance Tools ISSUES Group, Paul Heim
Hi,
The F-7 test doesn't relate to the discoverable credentials since it doesn't utilize rk option. Rather, it depends on the use of excludeList (0x05) parameter for non-discoverable credentials, which is one of the essential features of the MakeCred command.
The excludeList parameter allows relaying parties to avoid creating duplicate credentials for the service if one was already previously created on that authenticator. This is achieved by sending an array of PublicKeyCredentialDescriptor which is essentially the same data that is used in the allowList (0x03) for GetAssertion when working with non-discoverable credentials.
Given that, if your implementation can perform attestation for non-discoverable credentials with allowList, I believe it should be possible to do the same for MakeCreds excludeList.
Regards,
Illia
YoHidden
5:51 AM (17 hours ago) 5:51 AM
to FIDO Dev (fido-dev), Illia Irachek, Just Niko, YoHidden, FIDO Dev (fido-dev), [Certification] Conformance Tools ISSUES Group, Paul Heim
Ok, I get this now. Although the device is not storing any information about any previous generated credentials, it can attestate if a received credential in the excludeList has been generated by this particular device for this particular relying party, so it can avoid duplicates.
Now, I've been successfull in this section of the Conformance Test tool.
Thanks Illia.
Reply all
Reply to author
Forward
0 new messages