Hard-coded Root Cert in source

[StuFrankish]

Hi all, I'm reading through as much source and documentation as I can but I'm not understanding the reasoning behind including a hard coded root cert for the Fido metadata service.

I understand the purpose of using the metadata data service to ensure an integrity trust for authenticator devices, but not sure why the cert has to be hard coded?

Is there no concern around certificate expiry or revocation?
Is there an expectation for developers to update this manually?

Apologies if this is a low level question, but I'm trying to understand as much as I can.

Just wondered also if there was any other documentation around these services and what to do if they become unavailable, surely these can't be a single point of failure for so many implementations.

Thanks!

[abergs]

Your question is valid.
The MDS root certificate is hard coded from convenience and we could read it from the currently recognised url, as mentioned by the fido alliance:

For our PKI We use GlobalSign. The root GS-R3 certificate can be found here: https://valid.r3.roots.globalsign.com/

Or allow a developer to manually update it -- It would be a small but good improvement.

The MDS is only a "soft" single point of failure - you do not need to call the MDS often, just to fetch new data. If the MDS is not available, you can safely retry later without much real world impact or disturbance to your system.

[abergs]

Keeping open as a reminder to fix the hard coded some time, preferably before 18 march 2029