FIDO2 Metadata

[miguelvillaresb]

What is the difference between the 2 options described in the README for loading FIDO2 Metadata?

I downloaded the metadata from the FIDO test suite client and the I used option "Loading FIDO2 metadata from a directory". With this option the tests pass.

The another option "Configuring MDSv3 metadata" replaces the first one? I tried to pass the tests loading MDSv3 metadata from the web site and removing the local metadata files but the tests failed. It seems that the aaguid is not found in the downloaded metadata.

Thanks in advance

[tanguilp]

The test suite uses mocked root anchors for testing purpose. Given the architecture of FIDO, it obviously cannot generate genuine real credentials.

MDSV3 is the official repository of root anchors from vendors. Unfortunately, not all vendors publish publicly or in time their certificates in it. Therefore there’s another mechanism to load metadata from file. Last time I checked for instance, Apple didn’t publish their metadata in mdsv3.

[miguelvillaresb]

Trying to pass "Metadata Service Tests" I do not find the way to tell wax how to download the metadata from the 5 endpoints you get when registering the service in FIDO:

[tanguilp]

These tests don’t apply to wax afaik

[miguelvillaresb]

From my point of view, you already have a way to validate metadata blobs in wax so wax could include a way to get the endpoints from the domain, iterate over the endpoints and save the blob passing the validation. This was not included for a specific reason?

[tanguilp]

Haven't dig these test to be honest. Are they fake MDSv3 endpoints to be parsed and tested by a WebAuthn server implementation?

[miguelvillaresb]

I found this https://github.com/fido-alliance/conformance-test-tools-resources/issues/422

It seems that to pass those tests new metadata has to be used. The way to get the metadata is to go through https://mds3.certinfra.fidoalliance.org/ and try with the 5 provided endpoints. Only one of the endpoints provides a valid blob metatada. This right metadata is the one to be used with the tests.

[tanguilp]

Isn't that test for when you provide metadata?

A client implementation such as Wax uses metadata, and doesn't provide it.

[tanguilp]

It's pretty hard to understand what's going on with these MDS test :thinking:

Looks like you need to either have a server on the internet or punch a hole to your laptop: https://groups.google.com/a/fidoalliance.org/g/fido-dev/c/rwbWjBtO220/m/mcBgXEhAAQAJ

I don't have much time to deal with it, but if anyone is interested in taking this issue then it'd be welcome.