You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi all, I'm reading through as much source and documentation as I can but I'm not understanding the reasoning behind including a hard coded root cert for the Fido metadata service.
I understand the purpose of using the metadata data service to ensure an integrity trust for authenticator devices, but not sure why the cert has to be hard coded?
Is there no concern around certificate expiry or revocation?
Is there an expectation for developers to update this manually?
Apologies if this is a low level question, but I'm trying to understand as much as I can.
Just wondered also if there was any other documentation around these services and what to do if they become unavailable, surely these can't be a single point of failure for so many implementations.
Thanks!
The text was updated successfully, but these errors were encountered:
Hi all, I'm reading through as much source and documentation as I can but I'm not understanding the reasoning behind including a hard coded root cert for the Fido metadata service.
I understand the purpose of using the metadata data service to ensure an integrity trust for authenticator devices, but not sure why the cert has to be hard coded?
Is there no concern around certificate expiry or revocation?
Is there an expectation for developers to update this manually?
Apologies if this is a low level question, but I'm trying to understand as much as I can.
Just wondered also if there was any other documentation around these services and what to do if they become unavailable, surely these can't be a single point of failure for so many implementations.
Thanks!
The text was updated successfully, but these errors were encountered: