How spec complete/compliant is the library currently?

[dbfr3qs]

Hi there, first and foremost I just wanted to say how much I appreciate the work that's gone into this library already. I'm relatively new to the ins and outs of the FIDO2 specifications but a long time fan of the concept of Passwordless auth.

My query is: how spec compliant is the FIDO2-NET library currently? For example, I was looking at the VerifyAsync method in the AuthenticatorAttestationResponse class. It looks like possibly some of the steps aren't yet implemented from the spec, but I can't quite tell as the linked resource in the comments to the WebAuthN spec (https://www.w3.org/TR/webauthn/#registering-a-new-credential) does not appear to exist anymore (I'm guessing they rejigged the spec). I had a look around the spec but couldn't see the 19 step registration outline, but it could just be my unfamiliarity with the spec/FIDO2.

Following on, would this library be considered production ready?

[abergs]

@aseigler Might have more to say about the nitty-gritty regarding spec compliant (if there are any recent changes). I think the upcoming changes of MDS is a gray area, perhaps not part of the spec but should be treated as "compliance" and it will be supported by the library.

With that said, on a larger picture this library is and aims to be spec compliant. We are also testing running FidoAlliance compliance testing and I believe were one of the first (at least OSS) projects to reach 100% compliance score.

The definition of "Production ready" differs from company to company, but I and multiple others run this library in production. However, no paid support plans are available (at the time of writing).

[dbfr3qs]

Thanks for getting back to me so promptly @abergs, appreciate the thoughtful response.

[aseigler]

To add to what Anders said, there are a few things in play here, compliance to WebAuthn spec and compliance to FIDO Alliance certified server. We tried to write the library to closely match the WebAuthn spec, sometimes you'll find links to the spec in the source comments, but it is a living spec that has had significant changes over the past few years. We didn't plan the library from day one to align perfectly with anything, we kind of built it as we went.

In terms of compliance, the best we've got at the moment is the passing results from the conformance tools. If some individual or organization wants to sponsor the library for server certification, I'd be willing to go through the process.

[dbfr3qs]

Thanks @aseigler for weighing in, and thanks again to you both for your comments. That has given me a good idea of the current state 👍