Product Documentation

    FIDO Server now enables the use of the FIDO MetaDataService (MDS) 3.x. SKFS is configured to automatically download FIDO MDS and load it in memory at regular intervals. It is governed by the following properties (shown with default values):

    • The following property defines if MDS should be downloaded and used or not
      skfs.cfg.property.mds.enabled=true
    • The following property defines if a transaction can continue if there is no entry in the MDS service and if the property above is enabled
      skfs.cfg.property.mds.missingaaguid.register
    • This following property defined the URL from where the FIDO Alliance MDS is being downloaded:
      skfs.cfg.property.mds.fidoalliance.loadmethod.url
    • The following property defines the location of the ROOT CA certificate that signed the MDS:
      skfs.cfg.property.mds.fidoalliance.rootca.loadmethod.url

    SKFS attempts to download the MDS every day and checks if there is an update. If there is an update, then it parses the full MDS and loads up all the statements in memory.

    SKFS Policies contain an MDS section that defines authenticator status behaviors:

    "mds": {
      "authenticatorStatusReport": [
      {
        "status": "FIDO_CERTIFIED_L1",
        "priority": "1",
        "decision": "IGNORE"
      },
      {
        "status": "FIDO_CERTIFIED_L2",
        "priority": "1",
        "decision": "ACCEPT"
      },
      {
        "status": "UPDATE_AVAILABLE",
        "priority": "5",
        "decision": "IGNORE"
      },
      {
        "status": "REVOKED",
        "priority": "10",
        "decision": "DENY"
      }]
    }

    When checking, SKFS looks for the authenticator status object from the MDS; based on the status, it will check the current FIDO policy and act accordingly. It can either ignoredeny, or accept the request.

    As of 4.4.3, MDS is only configured to work with packed attestation.

    If there is no entry in the metadata service and the attestation is using Apple format (TouchID/FaceID), how can we determine if the the aaguid was successfully verified or cannot be verified?

    SKFS uses a property to determine whether to just ignore MDS for an aaguid that doesn't exist in the official…

    SKFS uses a property to determine whether to just ignore MDS for an aaguid that doesn't exist in the official FIDO Alliance MDS, or deny those requests. By default the server ignores MDS checks if it doesn't find the aaguid in the official list.

    This is because the MDS is evolving. StrongKey will evolve accordingly.

    Posted 2 years ago
    MetaDataService (MDS) Policy Security Administration

    Is the metadata stored after lookup on MDS in the SKFS database? ...and are we able to request these metadata with, for example, the getKeysInfo endpoint?

    The metadata statement is only stored in memory and not permanently stored in any database. There is no provision to…

    The metadata statement is only stored in memory and not permanently stored in any database. There is no provision to return the MDS in the getKeysinfo web service.

    Posted 2 years ago
    MetaDataService (MDS) Policy Security Administration