Enhancing the test suite to verify that the assertion returns an error when different users use the same challenge could be beneficial.
After passing the certification testing tools with 100% accuracy on all the test suite, we identified that a false positive might be possible in the FIDO2 Interop tests.
The test case is as follows:
Register two users by performing a MakeCredential with RK (USER1, USER2).
Perform a GetAssertion with RK:
2.1. Perform a POST assertion/options request with USER1.
2.2. Perform a POST assertion/result request with USER2.
If the server does not handle the challenges correctly, the test result may be a false positive. It would be beneficial to include a test in the certification testing tool to check this behavior.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
v1.7.19-1
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
Enhancing the test suite to verify that the assertion returns an error when different users use the same challenge could be beneficial.
After passing the certification testing tools with 100% accuracy on all the test suite, we identified that a false positive might be possible in the FIDO2 Interop tests.
The test case is as follows:
POST assertion/options
request with USER1. 2.2. Perform aPOST assertion/result
request with USER2.If the server does not handle the challenges correctly, the test result may be a false positive. It would be beneficial to include a test in the certification testing tool to check this behavior.