About Metadata Statement
Skybird Le
Skybird Le
Rolf Lindemann
I heard Metadata Service is now available for U2F in Beta launching, but I'm confused with Metadata Statement specs. I have some questions as below.1. Is each Metadata Statement only for a single authenticator model? What about different housing with different appearance (have different icon) but using same circuit design?
2. 2. If the same authenticator model have individual attestation certificate for each piece of hardware, there should be infinite attestationCertificateKeyIdentifiers in the Metadata Statement. How to compose this type of Metadata Statement.
3. If we change the Attestation Certificate later for this type of authenticator, can I update the Metadata Statement in https://mymds.fidoalliance.org/ ?4. If we change the Root certificate, can I use multiple attestationRootCertificates and add multiple attestationCertificateKeyIdentifiers from different issuer for this single authenticator?Best Regards,Skybird Le
--33
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/189ad800-8121-4e7d-981f-159af4b282ec%40fidoalliance.org.
|
Rolf Lindemann
|
|
Nok Nok Labs Inc. 2100 Geng Road, Suite 105 Palo Alto, CA 94303 T +1 650 433 1300 in...@noknok.com |
    |
Skybird Le
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/189ad800-8121-4e7d-981f-159af4b282ec%40fidoalliance.org.
Rolf Lindemann
Hi Geoffrey,
I am not sure I understand what differences the PCBs could have if *all* electronic elements (all CPUs, FPGAs, other ICs, etc.) are the same.
Let me give two examples:
a) Authenticator A using a traditional microcontroller and Authenticator B using a smart CPU with substantial physical protection measures and Common Criteria evaluation – both supporting same instruction set and having the same software (i.e. firmware) running on it.
b) Authenticator A using a microcontroller manufactured by company “a” and Authenticator B using a microcontroller manufactured by company “b” – both supporting same instruction set and having the same software (i.e. firmware) running on it.
In case b), I would think Authenticator A and B would be treated as being of the same model.
In case a), you might want to treat them as two different authenticator models as the security characteristics differ substantially and you might want to advertise one model with the enhanced security. So you might want to use different Metadata Statements.
Note: in addition there is also the notion of derivative certification. This allows simplified certification of a new authenticator model being similar (but not identical) to another already certified authenticator model.
Please see https://fidoalliance.org/certification/conformance-self%e2%80%90validation-testing/ for more details.
Kind regards,
Rolf
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/48c4bc30-7d94-4971-9f68-dfea8698afd1%40fidoalliance.org.
Skybird Le
Your comments are very helpful to me, thank you very much.
Different PCBs are just made for different housing and appearance, both firmware and circuit principle diagram are same. From that point of view they are same model.
Best Regards,
Geoffrey