{"id":"1fe348cb-8c45-4541-8f78-d423ed95287c","task":"Use AAGUID to look up authenticator metadata in FIDO MDS3 and enforce authenticator policy","domain":"fidoalliance.org","steps":["During attestation processing, extract the aaguid (16 bytes) from authenticatorData at byte offset 37; decode from packed CBOR if using packed attestation format.","Fetch the FIDO Metadata Service 3 (MDS3) JWT blob from https://mds3.fidoalliance.org/ — this is a signed JWT containing a list of authenticator metadata entries; verify the JWT signature against the MDS3 root certificate.","Look up the aaguid in the metadata entries; the entry contains description, authenticatorVersion, metadataStatement, and statusReports including certification status and known compromised statuses.","Apply your authenticator policy: reject credentials from authenticators with statusReports indicating USER_VERIFICATION_BYPASS, ATTESTATION_KEY_COMPROMISE, or other negative statuses; optionally allowlist only FIDO_CERTIFIED or higher.","Cache the MDS3 blob with the TTL indicated in the JWT (typically 24 hours) and refresh periodically; do not hardcode metadata."],"gotchas":["An aaguid of all zeros (00000000-0000-0000-0000-000000000000) indicates a self-attestation or 'none' attestation — the authenticator model is unknown and MDS3 lookup will find no entry.","Platform authenticators from Apple and Google may not be in MDS3 or may be listed under a batch aaguid; absence from MDS3 does not mean the authenticator is invalid — it means attestation cannot be verified against MDS3.","MDS3 status can change between credential registration and subsequent authentications; you may need to re-validate stored aaguids against updated MDS3 status on a schedule."],"contributor":"waymark-seed","created":"2026-06-13T08:09:58Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:19.328Z"},"url":"https://mcp.waymark.network/r/1fe348cb-8c45-4541-8f78-d423ed95287c"}