Skip to content

Commit

Permalink
Merge pull request #1954 from dwaite/enterprise-attestation-guidance
Browse files Browse the repository at this point in the history
Enterprise packed attestation guidance
  • Loading branch information
dwaite authored Sep 24, 2024
2 parents ed636a2 + 39733f0 commit efdf948
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -3867,7 +3867,7 @@ Note: The {{AttestationConveyancePreference}} enumeration is deliberately not re
:: The [=[RP]=] wants to receive the [=attestation statement=] as generated by the [=authenticator=].

: <dfn>enterprise</dfn>
:: The [=[RP]=] wants to receive an [=attestation statement=] that may include uniquely identifying information. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested [=RP ID=].
:: The [=[RP]=] wants to receive an enterprise attestation, which is an [=attestation statement=] that may include information which uniquely identifies the authenticator. This is intended for controlled deployments within an enterprise where the organization wishes to tie registrations to specific authenticators. User agents MUST NOT provide such an attestation unless the user agent or authenticator configuration permits it for the requested [=RP ID=].

If permitted, the user agent SHOULD signal to the authenticator (at [invocation time](#CreateCred-InvokeAuthnrMakeCred)) that enterprise attestation is requested, and convey the resulting [=/AAGUID=] and [=attestation statement=], unaltered, to the [=[RP]=].
</div>
Expand Down Expand Up @@ -6386,7 +6386,7 @@ implementable by [=authenticators=] with limited resources (e.g., secure element
[=attestation trust path=].


### Packed Attestation Statement Certificate Requirements ### {#sctn-packed-attestation-cert-requirements}
### Certificate Requirements for Packed Attestation Statements ### {#sctn-packed-attestation-cert-requirements}

The attestation certificate MUST have the following fields/extensions:

Expand Down Expand Up @@ -6456,6 +6456,10 @@ The attributes above are structured within this certificate as such:
2A -- Firmware version: 42
~~~

### Certificate Requirements for Enterprise Packed Attestation Statements ### {#sctn-enterprise-packed-attestation-cert-requirements}

The Extension OID `1.3.6.1.4.1.45724.1.1.2` ( `id-fido-gen-ce-sernum` ) MAY additionally be present in packed attestations for enterprise use. If present, this extension MUST indicate a unique octet string value per device against a particular AAGUID. This value MUST remain constant through factory resets, but MAY be distinct from any other serial number or other hardware identifier associated with the device. This extension MUST NOT be marked as critical, and the corresponding value is encoded as an OCTET STRING. This extension MUST NOT be present in non-enterprise attestations.

## TPM Attestation Statement Format ## {#sctn-tpm-attestation}

This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic
Expand Down

0 comments on commit efdf948

Please sign in to comment.