Hey Tangui. Glad that you are enjoying the articles. Here are the answers:
- Use of metadata statement / service is mandatory for certified servers. My next article will cover the specifics of this.
- There are three types of the identifiers in FIDO ecosystem: AAGUID(FIDO2), AAID(UAF) a attestationRootKeyIdentifier(U2F). You will load a set of metadata statements, which are json files, to your server. And when you get attestation you will match it against the metadata by aaguid/aaid/akid.
- This is the latest published specs https://fidoalliance.org/specs/fido-v2.0-rd-20180702/
- You should request access to conformance tools https://fidoalliance.org/test-tool-access-request/