attachmentHint must correspond to the authenticatorGetInfo.transports if present

[geofli]

By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.

If you have privacy concerns, please email [email protected]

FIRST PRE CHECK

• I SOLEMNLY SWEAR THAT I HAVE SEARCHED DOCUMENTATION AND WAS NOT ABLE TO RESOLVE MY ISSUE

What protocol are you implementing?

• FIDO2 Server
• CTAP2.0
• CTAP2.1
• UAF 1.1
• U2F 1.1
• U2F 1.2

NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.

What is your implementation class?

• Security Key / FIDO2 / U2F authenticators
• Server
• UAF Client-ASM-Authenticator combo
• UAF Client
• UAF ASM-Authenticator

If you are platform authenticator vendor, please email [email protected]

What is the version of the tool are you using?

1.7.22

What is the OS and the version are you running?

macOS 15.0.1

For desktop tools

• OSX
• Windows
• Linux

For UAF mobile tools

• iOS
• Android

Issue description

According to https://fidoalliance.org/specs/mds/fido-metadata-statement-v3.0-ps-20210518.html#dom-metadatastatement-attachmenthint , attachmentHint "Must be set to the complete list of the supported ATTACHMENT_HINT constant case-sensitive string names defined in the FIDO Registry of Predefined Values", and "For FIDO2 the values of attachmentHint MUST correspond to the authenticatorGetInfo.transports if present."

But currently, this attachmentHint and authenticatorGetInfo.transports can be different. For example

  "attachmentHint": [
    "external",
    "wired"
  ]

but authenticatorGetInfo has

  "transports": [
      "nfc",
      "usb"
  ]