Merge pull request #1953 from dwaite/packed-firmware-attribute

SHA: 354a717
Reason: push, by dwaite

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

index.html

@@ -6,7 +6,7 @@
   <meta content="ED" name="w3c-status">
   <meta content="Bikeshed version d765c696b, updated Fri Mar 8 15:58:52 2024 -0800" name="generator">
   <link href="https://www.w3.org/TR/webauthn-3/" rel="canonical">
-  <meta content="09c74bf99b19434c8de01da995dd760ca2a03f05" name="revision">
+  <meta content="354a717d3c49b1e0276d5ee73b096deddbbb47bc" name="revision">
   <meta content="dark light" name="color-scheme">
 <style type="text/css">
 body {
@@ -6161,20 +6161,42 @@ <h4 class="heading settled" data-level="8.2.1" id="sctn-packed-attestation-cert-
 certificate is used for multiple authenticator models, it is suggested that <a data-link-type="dfn" href="#relying-party" id="ref-for-relying-party②⑧⑧">Relying Parties</a> check if the extension
 is present, and if it is, then validate that it contains that same AAGUID as presented in the <a data-link-type="dfn" href="#attestation-object" id="ref-for-attestation-object①⑦">attestation object</a>.</p>
      <p>Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
-Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:</p>
-<pre>30 21                                     -- SEQUENCE
-  06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
-  04 12                                   -- OCTET STRING
-    04 10                                 -- OCTET STRING
-      cd 8c 39 5c 26 ed ee de             -- AAGUID
-      65 3b 00 79 7d 03 ca 3c
-</pre>
+Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid.</p>
     <li data-md>
      <p>The Basic Constraints extension MUST have the CA component set to <code>false</code>.</p>
-    <li data-md>
-     <p>An Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280" title="Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile">[RFC5280]</a> are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
-See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice" title="FIDO Metadata Service">[FIDOMetadataService]</a>.</p>
    </ul>
+   <p>Additionally, an Authority Information Access (AIA) extension with entry <code>id-ad-ocsp</code> and a CRL Distribution Point extension <a data-link-type="biblio" href="#biblio-rfc5280" title="Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile">[RFC5280]</a> are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata
+    services. See, for example, the FIDO Metadata Service <a data-link-type="biblio" href="#biblio-fidometadataservice" title="FIDO Metadata Service">[FIDOMetadataService]</a>.</p>
+   <p>The firmware of a particular authenticator model MAY be differentiated using the Extension OID <code>1.3.6.1.4.1.45724.1.1.5</code> (<code>id-fido-gen-ce-fw-version</code>). When present, this attribute contains an INTEGER with a non-negative value which is incremented for new
+    firmware release versions. The extension MUST NOT be marked as critical.</p>
+   <p>For example, the following is an attestation certificate containing the above extension OIDs as well as required fields:</p>
+<pre class="language-pem highlight"><c- c>-----BEGIN</c-> <c- c>CERTIFICATE-----</c-> <c- c>&lt;!--</c-> <c- c>bikeshed</c-> <c- c>emdash</c-> <c- c>workaround</c-> <c- c>--></c->
+<c- c>MIIBzTCCAXOgAwIBAgIUYHS3FJEL/JTfFqafuAHvlAS+hDYwCgYIKoZIzj0EAwIw</c->
+<c- c>QTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1dlYkF1dGhuIFdHMRwwGgYDVQQDDBNF</c->
+<c- c>eGFtcGxlIEF0dGVzdGF0aW9uMCAXDTI0MDEwMzE3NDUyMVoYDzIwNTAwMTA2MTc0</c->
+<c- c>NTIxWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0aG4gV0cxHDAaBgNV</c->
+<c- c>BAMME0V4YW1wbGUgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC</c->
+<c- c>AATDQN9uaFFH4BKBjthHTM1drpb7gIuPod67qyF6UdL4qah6XUp6tE7Prl+DfQ7P</c->
+<c- c>YH9yMOOcci3nr+Q/jOBaWVERo0cwRTAhBgsrBgEEAYLlHAEBBAQSBBDNjDlcJu3u</c->
+<c- c>3mU7AHl9A8o8MBIGCysGAQQBguUcAQEFBAMCASowDAYDVR0TAQH/BAIwADAKBggq</c->
+<c- c>hkjOPQQDAgNIADBFAiA3k3aAUVtLhDHLXOgY2kRnK2hrbRgf2EKdTDLJ1Ds/RAIh</c->
+<c- c>AOmIblhI3ALCHOaO0IO7YlMpw/lSTvFYv3qwO3m7H8Dc</c->
+<c- c>-----END</c-> <c- c>CERTIFICATE-----</c-> <c- c>&lt;!--</c-> <c- c>bikeshed</c-> <c- c>emdash</c-> <c- c>workaround</c-> <c- c>--></c->
+</pre>
+   <p>The attributes above are structured within this certificate as such:</p>
+<pre class="language-text highlight">30 21                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 04 -- OID 1.3.6.1.4.1.45724.1.1.4
+  04 12                                  -- OCTET STRING
+    04  10                               -- OCTET STRING
+      CD 8C 39 5C 26 ED EE DE            -- AAGUID cd8c395c-26ed-eede-653b-00797d03ca3c
+      65 3B 00 79 7D 03 CA 3C 
+
+30 12                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 05 -- OID 1.3.6.1.4.1.45724.1.1.5
+  04 03                                  -- OCTET STRING
+    02 01                                -- INTEGER
+      2A                                 -- Firmware version: 42
+</pre>
    <h3 class="heading settled" data-level="8.3" id="sctn-tpm-attestation"><span class="secno">8.3. </span><span class="content">TPM Attestation Statement Format</span><a class="self-link" href="#sctn-tpm-attestation"></a></h3>
    <p>This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
 engine.</p>