I think it should be like this:

— If you are actually need metadata, for compliance, legal, security reasons, then yes. Fail if fail to found

— If you just want FIDO, then you can just drop entire trust root verification

Yes, you can certainly add other vendors Metadata Statement, if you wish.

You should read this article: https://fidoalliance.org/fido-technotes-the-truth-about-attestation/

Written by

FIDO, Identity, Standards

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store