w3c · dwaite · Sep 24, 2024 · Jul 12, 2023 · Aug 30, 2023 · Sep 6, 2023
diff --git a/index.bs b/index.bs
@@ -5801,7 +5801,7 @@ implementable by [=authenticators=] with limited resources (e.g., secure element
                 [=attestation trust path=].
 
 
-### Packed Attestation Statement Certificate Requirements ### {#sctn-packed-attestation-cert-requirements}
+### Certificate Requirements for Packed Attestation Statements ### {#sctn-packed-attestation-cert-requirements}
 
 The attestation certificate MUST have the following fields/extensions:
 
@@ -5842,6 +5842,18 @@ The attestation certificate MUST have the following fields/extensions:
     are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
     See, for example, the FIDO Metadata Service [[FIDOMetadataService]].
 
+### Certificate Requirements for Enterprise Packed Attestation Statements ### {#sctn-enterprise-packed-attestation-cert-requirements}
+
+There are two potential sources for Enterprise Attestestations in Packed format:
+
+1. From a hardware device which is manufactured with a device-specific attestation statement and key
+2. Via a provisioned attestation statement, such as with a platform authenticator configured via managed policy
+
+For attestation statements provisioned at manufacturing, the Extension OID `1.3.6.1.4.1.45724.1.1.2` (`id-fido-gen-ce-sernum`) 
+MUST be present, containing a unique serial number for the device as an OCTET STRING. The extension MUST NOT be marked as critical.
+
+As enterprise attestations are normally consumed by [=[RPS]=] which are looking for particular authenticators, 
+there MAY be additional extensions used to convey information based on prior agreement.
 
 ## TPM Attestation Statement Format ## {#sctn-tpm-attestation}