Common use cases for key attestation are:
- Issuing code signing certificates for subscriber keys, verifying that the subscribers private signature key is generated and managed in an approved cryptographic device.
- Issuing digital signature certificate for subscriber keys, verifying that the subscribers private signature key is generated and managed in an approved cryptographic device.
There are other ways to achieve the same purpose, such as shipping hardware devices (USB tokens, smart cards, etc) to the subscriber, or requiring a formal audit of the key generation procedure from the subscriber. Using remote key attestation makes this process more efficient and possible to automate in a larger scale.
The table lists known hardware cryptographic devices and their support, or non-support, for remote key attestation.
There are a few standardization efforts available. Known efforts include:
Recently (June 2022) draft submitted to IETF, Key Attestation Extension for Certificate Management Protocols
This draft makes use of WebAuthn Defined Attestation Statement Formats
Other suggestions, which hasn’t been seen live in any of the above implementations:
There is also a draft with Use cases for Remote Attestation common encodings. Section 7 describes several of the encodings listed in the table above.
- A set of key attestations and corresponding X.509 certificate files generated by various Pixel, Surface Pro and YubiKey devices. By Carl Wallace.