Open maduvena opened 3 years ago
maduvena
commented
2 years ago 
Milton-Ch
commented
1 year ago Sub- task
- [x] feat(jans-fido2) : All authenticators listed in rogueList and rogueListHash in metadata blob - MUST be ignored by FIDO server
- [x] feat(jans-fido2) : FIDO server MUST ignore all authenticators with invalid status - StatusReport in metadata blob has status field
- [ ] Support for ED256 - currently JOSE library doesnt support it https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html Section 3.9 from the document
- [x] feat(jans-fido2) : CRL check for all authenticators
- [ ] feat(jans-fido2) : Make MDS and attestation optional
We have done an analysis of subtask 1, for now it is not necessary to implement it for some reasons:
rogueList.
yurem
commented
1 year ago I agree with @Milton-Ch about this. Also, I think this part might be keep for compatibility reasons in MDS 3. I found some notes about rogue List in very old UAF documentation: https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/FIDO-UAF-COMPLETE-v1.1-id-20170202.pdf which just copied to MDS 3.0 spec without adding any additional description.
yackermann
commented
4 weeks ago rogueList can be ignored, as it is for legacy ECDAA attestation, and was never implemented.
Details here - https://fidoalliance.org/metadata/
No need of authorization, There is no need to download individual metadata anymore. New MDS3 BLOB contains ALL metadata statements in one JSON.
We just need to download it at first run (or at install time). And re-download when it will expire (date specified in jwt)