Open yackermann opened 1 month ago
[TODO]
These 2 folders Fido2 uses for devices root certs:
Deprecate mdsCertsFolder
Deprecate authenticatorCertsFolder
Should we deprecate related to these folders functionality or there is replacement for this?
There should not be a separate folder for device roots. All checks must be done against metadata @yurem
This is right approach. But how to do this edge cases if device not in MDS3 list yet? For example we also need to add SG roots.
@yurem standard metadata will have the device root.
Configuration refactoring
mdsCertsFolder
mdsTocsFolder
authenticatorCertsFolder
metadataUrlsProvider
withmetadataServers
[{"url": "https://mds.fidoalliance.org/", "certificate": "...base64 of certificate..."}]metadataRefreshInterval
to allow adjustment of when metadata is refresheduserAutoEnrollment
todebugUserAutoEnrollment
requestedCredentialTypes
toenabledFidoAlgorithms
skipDownloadMdsEnabled
todisableMetadataService
"disabled" means attestation "none" "monitor" means attestation "direct" but still accept if none return "enforced" means that credential creation will fail if attestation is not returned
assertionOptionsGenerateEndpointEnabled