%% You should probably cite draft-ietf-lamps-csr-attestation-16 instead of this revision. @techreport{ietf-lamps-csr-attestation-14, number = {draft-ietf-lamps-csr-attestation-14}, type = {Internet-Draft}, institution = {Internet Engineering Task Force}, publisher = {Internet Engineering Task Force}, note = {Work in Progress}, url = {https://datatracker.ietf.org/doc/draft-ietf-lamps-csr-attestation/14/}, author = {Mike Ounsworth and Hannes Tschofenig and Henk Birkholz and Monty Wiseman and Ned Smith}, title = {{Use of Remote Attestation with Certification Signing Requests}}, pagetotal = 42, year = , month = , day = , abstract = {A PKI end entity requesting a certificate from a Certification Authority (CA) may wish to offer trustworthy claims about the platform generating the certification request and the environment associated with the corresponding private key, such as whether the private key resides on a hardware security module. This specification defines an attribute and an extension that allow for conveyance of Evidence in Certificate Signing Requests (CSRs) such as PKCS\#10 or Certificate Request Message Format (CRMF) payloads which provides an elegant and automatable mechanism for transporting Evidence to a Certification Authority. Including Evidence along with a CSR can help to improve the assessment of the security posture for the private key, and can help the Certification Authority to assess whether it satisfies the requested certificate profile. These Evidence Claims can include information about the hardware component's manufacturer, the version of installed or running firmware, the version of software installed or running in layers above the firmware, or the presence of hardware components providing specific protection capabilities or shielded locations (e.g., to protect keys).}, }