nextUpdate field of mds3 blobs from https://mds3.fido.tools/ are not ISO8601 compliant

[dayasakti-2020]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email conformance-tools@fidoalliance.org

FIRST PRE CHECK

• [x] I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• [x] FIDO2 Server
• [ ] CTAP2.0
• [ ] CTAP2.1
• [ ] UAF 1.1
• [ ] U2F 1.1
• [ ] U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• [ ] Security Key / FIDO2 / U2F authenticators
• [x] Server
• [ ] UAF Client-ASM-Authenticator combo
• [ ] UAF Client
• [ ] UAF ASM-Authenticator

If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org

What is the version of the tool are you using?

1.7.17

What is the OS and the version are you running?

For desktop tools

• [ ] OSX
• [x] Windows
• [ ] Linux

For UAF mobile tools

• [ ] iOS
• [ ] Android

Issue description

1. With a web browser, navigate to https://mds3.fido.tools/
2. input https://fido2-server.xyz as the value for for the Server endpoint
3. press SUBMIT
4. It shall display 5 generated MDS3 Endpoints such as the below. Download all MDS3 blobs from the below url
   • https://mds3.fido.tools/execute/176b9b510b353cc1b9ace6a1c95b3c9e4a05fb301420eeba96aaa54c892d2590
   • https://mds3.fido.tools/execute/c2f37148764c98bec9d1c1ded96dd988100d7ec6cffdce36309dfa77ee76cb55
   • https://mds3.fido.tools/execute/da402b5ba0101b9a889911bfbd4384ba1c0f2bde096cf174336098da1c548215
   • https://mds3.fido.tools/execute/2bd944c3e72e2862ea751e3eb4159f30cc05c8f4bd1a2aa442ad981eb0a5fa9b
   • https://mds3.fido.tools/execute/a058f27ce4a7faacd9a432f2b98e11257e61a144eea36ecd5ff63a993afc0e7d
5. Observe the PAYLOAD section for the nextUpdate value of the decoded MDS3 blob. All of the MDS3 blobs from all the URLs are having a nextUpdate value of 2025-00-17. However, according to the MDS3 blob spec, the nextUpdate is a DOMString whose value is a ISO-8601 formatted date when the next update will be provided at latest. , and according to ISO-8601, the month numbers should be from 01 to 12. So the having 00 as the month value is non-compliant. e.g. from https://mds3.fido.tools/execute/c2f37148764c98bec9d1c1ded96dd988100d7ec6cffdce36309dfa77ee76cb55, the decoded payload looks like this

   {
   "legalHeader": "By using this test metadata service, you are solemly swear not to do evil!",
   "no": 42,
   "nextUpdate": "2025-00-17",
   "entries": [
   {
     "metadataStatement": {
       "aaguid": "cee19cfd-1a44-4392-8f22-cdd3fbc05766",
       "alternativeDescriptions": {
         "ru-RU": "Виртуальный Secp256R1 CTAP2 аутентификатор для тестирование серверов на соответсвие спецификации FIDO2 cee19cfd-1a44-4392-8f22-cdd3fbc05766"
       },
       "attachmentHint": [
         "external",
         "wired",
         "wireless",
         "nfc"
       ],
       "attestationRootCertificates": [
       ...
       ...

Certain MDS3 blob parsers will validate the value of nextUpdate and check whether it contains a ISO-8601 date format. Please help to resolve the non-conforming nextUpdate value.

[iirachek]

Fixed.