Device Attestation: webhook data and certificate enrichment

[jamesez]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Webhooks should be given as much of the attestation as possible, so that the hook can make decisions about whether to issue the certificate (this is similar to #1526).

Additionally, webhooks should be able to enrich the certificate from that attestation.

Why is this needed?

By giving a webhook the full attestation data, it can make decisions about whether the certificate should be issued at all - say, by verifying that the OS is above some minimum, and that the device is present in the MDM database.

Additionally, we want to carry the attested OS version OID into the finished certificate, so a partner service could make their own decisions about permitting a device on the network, without that service needing to ask our MDM or some other service via a back-channel.

[jessepeterson]

I'd ask that the whole attestation leaf certificate be handed over to the webhook/thing making the decision (perhaps in addition to any parsed-out attestation data). In this way 3rd parties can verify the cert request however they wish.

[jamesez]

+1 to @jessepeterson’s suggestion that the entire leaf be sent to the hook.