Optionally include the Yubico Metadata Service in the relying party configuration. This enables authenticator metadata and allows for trust evaluation of attestation statements.
It is not yet clear where we want to take this in the long term. Having metadata is one thing, but using it is another. However, I will work on finding a way to support it, although it will be disabled by default.
Environment
None
Activity
Philip SmartMarch 15, 2024 at 11:00 AM
Added support for Yubico’s metadata service. It is disabled by default. If enabled, for now, this allows:
Verification of authenticator attestations during registration if the attestation statement is requested and supplied by the authenticator.
If the authenticator is not found in the metadata, and or the X.509 certificates in the attestation statement from the authenticator do not form a trust path to a trust root from the metadata, registration will fail.
This is a separate property, you can enable the metadata and allow untrusted authenticator attestations during registration.
The registration interface to be improved to display the user's Authenticator information.
This uses the Yubico metadata service and is not related—at least for now—to the IdP’s metadata handling.
Optionally include the Yubico Metadata Service in the relying party configuration. This enables authenticator metadata and allows for trust evaluation of attestation statements.
It is not yet clear where we want to take this in the long term. Having metadata is one thing, but using it is another. However, I will work on finding a way to support it, although it will be disabled by default.