Some of the attestation-specific addons to the TLS handshake can be quite a performance drain. In order to allow some performance improvements, at least in the context of mutual authentication via attestation, one could consider approaches in which the two entities generate and verify attestation evidence in parallel.
For example, if both peers use the same channel binder and both have access to all the necessary data (encrypted extensions have been exchanged both ways), then the two can perform evidence generation in parallel, followed by the server sending its evidence in the Certificate message, and so on.
Similarly, if the client sends its evidence before starting the verification process for the server's evidence (NOTE: possible privacy issue), verification can happen in parallel.
Some of the attestation-specific addons to the TLS handshake can be quite a performance drain. In order to allow some performance improvements, at least in the context of mutual authentication via attestation, one could consider approaches in which the two entities generate and verify attestation evidence in parallel.
For example, if both peers use the same channel binder and both have access to all the necessary data (encrypted extensions have been exchanged both ways), then the two can perform evidence generation in parallel, followed by the server sending its evidence in the Certificate message, and so on.
Similarly, if the client sends its evidence before starting the verification process for the server's evidence (NOTE: possible privacy issue), verification can happen in parallel.