Non-Cryptographic Key Attestation

[vanbroup]

We have received some requests to add a clear, step-by-step procedure or a direct link to the relevant section of the device documentation explaining how to create and verify non-cryptographic key attestations with a specific vendor.

This request stems from the acknowledgment of limited availability of remote (cryptographic) key attestation by vendors.

It's particularly crucial that this procedure meets the code signing certificate requirements of the CA/Browser Forum.

If we would like to facilitate such information it should be emphasized that non-cryptographic mechanisms for key attestation can't be fully relied upon.

[primetomas]

Specific to CA/B Forum requirements I know these, but they build on cryptographic capabilities: https://support.fortanix.com/hc/en-us/articles/18924491083028-Using-Fortanix-DSM-for-Verifying-Key-Attestation-Statements https://data-protection-updates.gemalto.com/2020/04/15/public-key-confirmation-meeting-ca-browser-forum-standards-with-luna-and-luna-cloud-hsms/

Adding these to the table.

[primetomas]

@vanbroup : I find these on Entrust web: https://www.entrust.com/knowledgebase/ssl/code-signing-private-key-protection-requirements-for-cloud-hsm-providers If we want to add examples of non-cryptographic key attestation, could Entrust contribute?