Aligning with the other APIs, the Attestation API needs an SRA.
In this case, there is little to be said about the API itself, other than requiring implementations to be isolated, to sanitize input parameters, and consider limiting access to authorized callers.
Most of the threats to the Attestation process are transferred to the implementation (isolation & protection of cryptographic and claim assets), and/or the report format (covered by PSA Attestation Token and its dependencies) - so a detailed analysis of those threats is not required in this SRA.
Aligning with the other APIs, the Attestation API needs an SRA.
In this case, there is little to be said about the API itself, other than requiring implementations to be isolated, to sanitize input parameters, and consider limiting access to authorized callers.
Most of the threats to the Attestation process are transferred to the implementation (isolation & protection of cryptographic and claim assets), and/or the report format (covered by PSA Attestation Token and its dependencies) - so a detailed analysis of those threats is not required in this SRA.