UAF1.1 Server-Reg-Resp-4/F-8 FinalChallengeParams.channelBinding empty Dictionary: valid or not?

[purrema1]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [X] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [ ] FIDO2 Server
• [ ] CTAP2.0
• [ ] CTAP2.1
• [X] UAF 1.1
• [ ] U2F 1.1
• [ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [ ] Security Key / FIDO2 / U2F authenticators
• [X] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

v1.6.37

What is the OS and the version are you running?

For desktop tools

• [ ] OSX
• [X] Windows
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

UAF 1.1 Server test scenario: 'Server-Reg-Resp-4/F-8 FinalChallengeParams.channelBinding is empty Dictionary' expects that a channelBinding = {} is refused by the server, but from the standard its a valid setting in case no channel bindings are defined. Actually the conformance tool itself uses channelbinding = {} for some 'positive' registration test scenarios.

This is somehow not consistent; perhaps you can remove this test scenario: 'Server-Reg-Resp-4/F-8 FinalChallengeParams.channelBinding is empty Dictionary' from the tool.

Regards, Manfred

[yackermann]

Yes. All fields in the channelBindings are optional. So if authenticator does not support channelBinding it will return empty dictionary