during the last few months members of the attestation design team have
made a lot of progress on the CSR attestation draft and hence we
started the next "phase" by working on an evidence format that meets
the needs of the HSM community. This evidence format re-uses the
encoding of an X.509 certificate.
okay... but it doesn't really say exactly how.
I am reading that you have basically taken claims from EAT and encoded this in ASN.1. I see all those claims, and that's great.
You write that it's an X509 certificate extension.
But, I don't see a clear extension in the document.
Is each claim a new extension, or are they bundled into a single extension?
I understand the use of RFC5280 format certificate objects because HSM
vendors are used to signing certificate objects. Well... but are they?
I can see that some HSMs, which are used for running CAs would be, but are
HSMs like Yubikeys also likely? I see that kind of device (kept in a locked
drawer) is likely 95% of code signers.
I understand that the certificate's Issuer would be the device's AK, which is signed by the HSM vendor. The SubjectKeyInfo would be the public key in the CSR request? What about the SubjectDN? What other extensions might be present?
hannestschofenig
commented
8 months ago
Tschofenig, Hannes hannes.tschofenig=40siemens.com@dmarc.ietf.org wrote:
okay... but it doesn't really say exactly how.
I am reading that you have basically taken claims from EAT and encoded this in ASN.1. I see all those claims, and that's great.
You write that it's an X509 certificate extension. But, I don't see a clear extension in the document. Is each claim a new extension, or are they bundled into a single extension?
I understand the use of RFC5280 format certificate objects because HSM vendors are used to signing certificate objects. Well... but are they? I can see that some HSMs, which are used for running CAs would be, but are HSMs like Yubikeys also likely? I see that kind of device (kept in a locked drawer) is likely 95% of code signers.
I understand that the certificate's Issuer would be the device's AK, which is signed by the HSM vendor. The SubjectKeyInfo would be the public key in the CSR request? What about the SubjectDN? What other extensions might be present?