Skip to main content

PKI-based Attestation Evidence
draft-ietf-rats-pkix-evidence-00

Document Type Active Internet-Draft (rats WG)
Authors Mike Ounsworth , Richard Kettlewell , Jean-Pierre Fiset , Hannes Tschofenig , Tirumaleswar Reddy.K , Monty Wiseman
Last updated 2024-11-18 (Latest revision 2024-10-11)
Replaces draft-ounsworth-rats-pkix-evidence
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status (None)
Formats
Additional resources Mailing list discussion
Stream WG state WG Document
Document shepherd (None)
IESG IESG state I-D Exists
Consensus boilerplate Unknown
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ietf-rats-pkix-evidence-00
RATS                                                        M. Ounsworth
Internet-Draft                                             R. Kettlewell
Intended status: Standards Track                                 Entrust
Expires: 14 April 2025                                       J. P. Fiset
                                                                Crypto4A
                                                           H. Tschofenig
                                                                   H-BRS
                                                                T. Reddy
                                                                   Nokia
                                                              M. Wiseman
                                                         Beyond Identity
                                                         11 October 2024

                     PKI-based Attestation Evidence
                    draft-ietf-rats-pkix-evidence-00

Abstract

   This document specifies ASN.1 structures produced by an Attester as
   part of the remote attestation procedures and constitute Evidence.

   This document follows the Remote ATtestation procedureS (RATS)
   architecture where Evidence is sent by an Attester and processed by a
   Verifier.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 14 April 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Ounsworth, et al.         Expires 14 April 2025                 [Page 1]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   5
   3.  Attestation Evidence  . . . . . . . . . . . . . . . . . . . .   5
   4.  Signing and Verification Procedure  . . . . . . . . . . . . .   7
     4.1.  Signing Procedure . . . . . . . . . . . . . . . . . . . .   7
     4.2.  Verification Procedure  . . . . . . . . . . . . . . . . .   7
   5.  Claims  . . . . . . . . . . . . . . . . . . . . . . . . . . .   8
     5.1.  Platform Claims . . . . . . . . . . . . . . . . . . . . .   8
     5.2.  Key Claims  . . . . . . . . . . . . . . . . . . . . . . .   9
     5.3.  Device Identifier . . . . . . . . . . . . . . . . . . . .   9
       5.3.1.  ueid (Universal Entity ID) Claim  . . . . . . . . . .   9
       5.3.2.  sueids (Semi-permanent UEIDs) Claim (SUEIDs)  . . . .  10
       5.3.3.  oemid (Hardware OEM Identification) Claim . . . . . .  10
       5.3.4.  hwmodel (Hardware Model) Claim  . . . . . . . . . . .  11
       5.3.5.  hwversion (Hardware Version) Claim  . . . . . . . . .  11
     5.4.  Environment Identifier  . . . . . . . . . . . . . . . . .  11
     5.5.  Software Identifier . . . . . . . . . . . . . . . . . . .  12
     5.6.  OEM Boot  . . . . . . . . . . . . . . . . . . . . . . . .  12
     5.7.  Dbgstat (Debug Status)  . . . . . . . . . . . . . . . . .  12
     5.8.  Location  . . . . . . . . . . . . . . . . . . . . . . . .  12
     5.9.  Uptime  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.10. Bootcount {sect-bootcount}  . . . . . . . . . . . . . . .  13
     5.11. Bootseed  . . . . . . . . . . . . . . . . . . . . . . . .  13
     5.12. dloas (Digital Letters of Approval) . . . . . . . . . . .  13
     5.13. Endorsements  . . . . . . . . . . . . . . . . . . . . . .  14
     5.14. Manifests . . . . . . . . . . . . . . . . . . . . . . . .  14
     5.15. Measurements  . . . . . . . . . . . . . . . . . . . . . .  14
     5.16. Measres (Software Measurement Results)  . . . . . . . . .  14
     5.17. Submods (Submodules)  . . . . . . . . . . . . . . . . . .  14
     5.18. iat (Issuance Time) . . . . . . . . . . . . . . . . . . .  14
     5.19. intuse (Intended Use) . . . . . . . . . . . . . . . . . .  15
     5.20. FipsMode  . . . . . . . . . . . . . . . . . . . . . . . .  15
     5.21. VendorInfo  . . . . . . . . . . . . . . . . . . . . . . .  15
     5.22. NestedEvidences . . . . . . . . . . . . . . . . . . . . .  16
     5.23. Nonce . . . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.24. KeyId . . . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.25. PubKey  . . . . . . . . . . . . . . . . . . . . . . . . .  16

Ounsworth, et al.         Expires 14 April 2025                 [Page 2]
Internet-Draft       PKI-based Attestation Evidence         October 2024

     5.26. Purpose . . . . . . . . . . . . . . . . . . . . . . . . .  16
     5.27. NonExportable . . . . . . . . . . . . . . . . . . . . . .  17
     5.28. Imported  . . . . . . . . . . . . . . . . . . . . . . . .  17
     5.29. KeyExpiry . . . . . . . . . . . . . . . . . . . . . . . .  17
     5.30. Unrecognized claims . . . . . . . . . . . . . . . . . . .  17
   6.  Evidence Claims Certificate Extension . . . . . . . . . . . .  17
     6.1.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . .  18
   7.  Implementation Considerations . . . . . . . . . . . . . . . .  19
     7.1.  API for requesting evidence from an attesting device  . .  19
       7.1.1.  Request by ID and claim profile . . . . . . . . . . .  20
       7.1.2.  Request by claim set  . . . . . . . . . . . . . . . .  20
   8.  Privacy Considerations  . . . . . . . . . . . . . . . . . . .  20
     8.1.  Publishing Evidence in a certificate  . . . . . . . . . .  20
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  21
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  22
     10.1.  OIDs for Evidence Claims Certificate Extension . . . . .  22
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  22
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  22
     11.2.  Informative References . . . . . . . . . . . . . . . . .  23
   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .  24
   Appendix B.  ASN.1 Module . . . . . . . . . . . . . . . . . . . .  24
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  24

1.  Introduction

   Trusted execution environments, like secure elements and hardware
   security modules (HSMs), are now widely used, which provide a safe
   environment to place cryptographic key material and security
   sensitive code which uses it, such as signing and decryption
   services, secure boot, secure storage, and other essential security
   functions.  These security functions are typically exposed through a
   narrow and well-defined interface, and can be used by operating
   system libraries and applications.

   Increasingly, parties that rely on these secure elements want
   evidence that the security sensitive operations are in fact being
   performed within a secure element.  This evidence can pertain to the
   secure element platform itself, or to the storage and protection
   properties of the cryptographic keys, or both.  This is generally
   referred to as remote attestation, and is covered by the Remote
   ATtestation procedureS (RATS) architecture [RFC9344].  This document
   species an evidence data format specified in ASN.1 and re-using many
   data structures from the PKIX ASN.1 modules [RFC5912] so to be a
   convenient format for secure elements and verifiers that are designed
   primarily for use within X.509 Public Key Infrastructures.

Ounsworth, et al.         Expires 14 April 2025                 [Page 3]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   When a Certificate Signing Request (CSR) library is requesting a
   certificate from a Certification Authority (CA), a PKI end entity may
   wish to provide Evidence of the security properties of the trusted
   execution environment in which the private key is stored.  This
   Evidence is to be verified by a Relying Party, such as the
   Registration Authority or the Certification Authority as part of
   validating an incoming CSR against a given certificate policy.
   [I-D.ietf-lamps-csr-attestation] defines how to carry Evidence in
   either PKCS#10 [RFC2986] or Certificate Request Message Format (CRMF)
   [RFC4211].

   [I-D.ietf-lamps-csr-attestation] is agnostic to the content and the
   encoding of Evidence.  To offer interoperability it is necessary to
   define a format that is utilized in a specific deployment
   environment.  Hardware security modules and other trusted execution
   environments, which have been using ASN.1-based encodings for a long
   time prefer the use of the same format throughout their software
   ecosystem.  For those use cases this specification has been
   developed.

   This specification re-uses the claims defined in [I-D.ietf-rats-eat].
   While the encoding of the claims is different to what is defined in
   [I-D.ietf-rats-eat], the semantics of the claims is retained.  This
   specification is not an EAP profile, as defined in Section 6 of
   [I-D.ietf-rats-eat]

   This specification was designed to meet the requirements published by
   the CA Browser Forum to convey properties about hardware security
   models, such as non-exportability, which must be enabled for storing
   publicly-trusted code-signing keys.  Hence, this specification is
   supposed to be used with the attestation extension for Certificate
   Signing Requests (CSRs), see [I-D.ietf-lamps-csr-attestation].

   There are, however, other use cases where remote attestation may also
   be used, such as

   *  A Certification Authority receives a certificate signing request
      and wishes to verify that the subject public key was generated in
      an HSM (for example to satisfy CA/B Forum subscriber private key
      verification requirement).  They may also wish to verify that the
      operations the HSM will allow for the corresponding private key
      are consistent with the purpose of the requested certificate.

Ounsworth, et al.         Expires 14 April 2025                 [Page 4]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   *  A user of a Cloud Service Provider's 'Bring Your Own Key' service
      wishes to transfer their locally-generated key securely to the
      CSP's service by encrypting it under the CSP's public key.  As
      part of their due diligence on the CSP's key they wish to verify
      (1) that it was generated by an HSM and (2) may only be used to
      unwrap the key into an HSM (i.e. unwrap permission but not decrypt
      permission).
   *  An auditor of an identity provision service (or a competent end
      user) may wish to verify that keys representing end-user
      identities are held in an HSM and have permissions that are in
      line with the applicable regulations.  For example, they may wish
      verify that the protection arrangements for assigned keys cannot
      be changed.
   *  A manufacturer needs to provision configuration info, software,
      and credentials to a device from remote.  With the help of remote
      attestation the manufacturer is provided enough information to
      verify that information is only sent to devices it has built.

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   This document re-uses the terms defined in [RFC9334] related to
   remote attestation.  Readers of this document are assumed to be
   familiar with the following terms: Evidence, Claim, Attestation
   Result, Attester, Verifier, and Relying Party.

3.  Attestation Evidence

   This specification defines the following Evidence format, which
   contains a set of claims.  To protect Evidence against modification,
   it is protected with a digital signature.

Ounsworth, et al.         Expires 14 April 2025                 [Page 5]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   PkixEvidenceStatement ::= SEQUENCE {
     tbsEvidence TBSEvidenceStatement
     signatureValues SEQUENCE SIZE (1..MAX) OF BIT STRING,
     relatedCertificates [0] IMPLICIT SEQUENCE of Certificate OPTIONAL
     -- As defined in RFC 5280
   }

   TBSEvidenceStatement ::= SEQUENCE {
     version INTEGER,
     claims SEQUENCE SIZE (1..MAX) OF EVIDENCE-CLAIM,
     signatureInfos SEQUENCE SIZE (1..MAX) OF SignatureInfo
   }

   EVIDENCE-CLAIM ::= TYPE-IDENTIFIER

   -- TYPE-IDENTIFIER definition from X.681
   TYPE-IDENTIFIER ::= CLASS
   {
       &id OBJECT IDENTIFIER UNIQUE,
       &Type
   }
   WITH SYNTAX {&Type IDENTIFIED BY &id}

   SignatureInfo ::= SEQUENCE {
      signatureAlgorithm AlgorithmIdentifier,
      sid [0] SignerIdentifier OPTIONAL
   }

   SignerIdentifier ::= SEQUENCE {
      keyId [0] EXPLICIT OCTET STRING OPTIONAL,
      subjectKeyIdentifier [1] EXPLICIT SubjectPublicKeyInfo OPTIONAL,
        -- As defined in RFC 5280
      certificate [2] EXPLICIT Certificate OPTIONAL,
        -- As defined in RFC 5280
      certHash [3] EXPLICIT CertHash OPTIONAL
   }

   CertHash ::= SEQUENCE {
       hash AlgorithmIdentifier,
       value OCTET STRING
   }
   -- There is bound to already exist an ASN.1 structure for this somewhere.

   AlgorithmIdentifier ::= SEQUENCE {
      algorithm OBJECT IDENTIFIER,
      parameters ANY DEFINED BY algorithm OPTIONAL
   }

Ounsworth, et al.         Expires 14 April 2025                 [Page 6]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   version MUST be set to 1.

4.  Signing and Verification Procedure

   EDNOTE: Can we start our versions at some number to avoid versions
   that Crypto4A has already used?

4.1.  Signing Procedure

   1.  The message to be signed is the TBSEvidenceStatement, including
       the SignatureInfo for each of the signatures to be performed.
   2.  Each signature is computed in parallel and placed into index of
       the signatureValues SEQUENCE that matches the position of the
       corresponding SignatureInfo in the signatureInfos sequence.

   The signer MUST produce one signature per signatureInfo, it MUST NOT
   omit signatures and MUST NOT produce a subset of the signatures
   listed in signatureInfos.

4.2.  Verification Procedure

   1.  The message to be verified is the TBSEvidenceStatement.
   2.  For each signatureInfo, the corresponding verification public key
       and signature algorithm is found according to the information
       contained in the SignatureInfo for that signature and any
       accompanying certificates or key material.
   3.  For each signature, the message is verified using the value from
       the corresponding element of the signatureValue sequence.
   4.  The PkixEvidenceStatement SHOULD be considered valid if and only
       if all signatures are valid; i.e. multiple signatures are to be
       treated as an AND mode.  This item is a recommendation and not a
       hard requirement since verification policy is of course at the
       discretion of the Verifier.

   EDNOTE: the major change here from the original Crypto4A QASM
   Attestation is that the original only includes the claims in the
   signature, whereas this includes everything, including the version,
   list of signature algorithms.  This prevents possible attacks where
   those values are manipulated by attackers.  We should debate whether
   the certificates should be protected by the signature.  Pro:
   generally better for security to sign everything.  Con: in some
   contexts, it may be difficult to have the certificates prior to
   signing, but that's ok because most evidence carrier formats also
   allow you to attach the signatures externally.

Ounsworth, et al.         Expires 14 April 2025                 [Page 7]
Internet-Draft       PKI-based Attestation Evidence         October 2024

5.  Claims

   Since no claims are marked as MANDATORY, the sequence 'claims' may be
   constituted of differing claims from one instance to the next.  This
   is expected as each evidence statement may be providing information
   to support different use cases.

   Once an evidence statement is signed, the Attester is guaranteeing
   that all of the claims carried by the evidence statement are true.

   It is important to note that multiple claims in the sequence may have
   the same 'id'.  Implementers should ensure that this case is handled
   by verifying logic.

   For ease of reading, claims have been separated into two lists:
   "platform claims" and "key claims".

5.1.  Platform Claims

| Claim          | OID      | Value        | Section           | Status       |
| --------       | -------- | ------------ | ----------------- | ------------ |
| Oemid          | TBD      | UTF8String   | {{sect-deviceID}} | RECOMMENDED  |
| Hwmodel        | TBD      | UTF8String   | {{sect-deviceID}} | RECOMMENDED  |
| Hwversion      | TBD      | UTF8String   | {{sect-deviceID}} | RECOMMENDED  |
| Hwserial       | TBD      | UTF8String   | {{sect-deviceID}} | RECOMMENDED  |
| Ueid           | TBD      | UTF8String   | {{sect-ueid}    } | OPTIONAL     |
| Sueid          | TBD      | UTF8String   | {{sect-sueid}}    | OPTIONAL     |
| EnvID          | TBD      | UTF8String   | {{sect-envID}}    | OPTIONAL     |
| Swname         | TBD      | UTF8String   | {{sect-swID}}     | RECOMMENDED  |
| Swversion      | TBD      | UTF8String   | {{sect-swID}}     | RECOMMENDED  |
| Oemboot        | TBD      | BOOLEAN      | {{sect-oemboot}}  | RECOMMENDED  |
| Location       | TBD      | ???          | {{sect-location}} | OPTIONAL     |
| Dbgstat        | TBD      | CHOICE       | {{sect-dbgstat}}  | RECOMMENDED  |
| Uptime         | TBD      | INTEGER      | {{sect-uptime}}   | OPTIONAL     |
| Bootcount      | TBD      | INTEGER      | {{sect-bootcount}}| OPTIONAL     |
| Bootseed       | TBD      | BIT STRING   | {{sect-bootseed}} | OPTIONAL     |
| Dloas          | TBD      | SEQUENCE OF Dloa | {{sect-dloas}}    | OPTIONAL     |
| Endorsements   | TBD      | SEQUENCE of Endorsement | {{sect-endorsements}} | OPTIONAL |
| Manifests      | TBD      | ??           | {{sect-manifests}} | OPTIONAL    |
| Measurements   | TBD      | ??           | {{sect-measurements}} | OPTIONAL    |
| Measres        | TBD      | ??           | {{sect-measres}}   | OPTIONAL    |
| Submods        | TBD      | ??           | {{sect-submods}}   | OPTIONAL    |
| Iat            | TBD      | Time         | {{sect-iat}}       | RECOMMENDED |
| FipsMode       | TBD      | Boolean      | {{sect-fipsmode}}  | RECOMMENDED |
| VendorInfo     | TBD      | TYPE-IDENTIFIER | {{sect-vendorinfo}}| OPTIONAL    |
| NestedEvidences| TBD      | SEQUENCE OF PkixEvidenceStatement | {{sect-nestedevidences}} | OPTIONAL |
| Nonce          | TBD      | OCTET STRING | {{sect-nonce}}     | OPTIONAL    |

Ounsworth, et al.         Expires 14 April 2025                 [Page 8]
Internet-Draft       PKI-based Attestation Evidence         October 2024

5.2.  Key Claims

| Claim          | OID      | Value        | Section           | Status       |
| --------       | -------- | ------------ | ----------------- | ------------ |
| KeyId          | TBD      | IA5String    | {{sect-keyid}}    | OPTIONAL     |
| PubKey         | TBD      | OCTET STRING | {{sect-pubkey}}   | RECOMMENDED  |
| Purpose        | TBD      | CHOICE       | {{sect-purpose}}  | RECOMMENDED  |
| NonExportable  | TBD      | BOOLEAN      | {{sect-nonexportable}} | RECOMMENDED |
| Imported       | TBD      | BOOLEAN      | {{sect-imported}} | RECOMMENDED  |
| KeyExpiry      | TBD      | Time         | {{sect-keyexpiry}}| OPTIONAL     |

   Even though no specific claims are required, a Verifier or Relying
   Party MAY reject an Evidence claim if it is missing information
   required by the appraisal policy.  For example, a Relying Party which
   requires a FIPS-certified device SHOULD reject Evidence if it does
   not contain sufficient information to determine the FIPS
   certification status of the device.

5.3.  Device Identifier

   Devices assigned a Universal Entity ID compliant with RATS EAT SHOULD
   provide this in the Ueid or Sueid claim.  Devices with a traditional
   human-readable serial number SHOULD provide this in the Hwserial
   claim.  Both MAY be provided.

   The set {OemID, Hwmodel, Hwversion, Hwserial}, when provided, SHOULD
   represent a universally unique identification of the device.  Where
   applicable, {OemID, Hwmodel, Hwversion} SHOULD match the way the
   device is identified in relevant endorsements, such as published FIPS
   or Common Criteria certificates.

5.3.1.  ueid (Universal Entity ID) Claim

   The "ueid" claim conveys a UEID, which identifies an individual
   manufactured entity.  This identifier is a globally unique and
   permanent identifier.  See Section 4.2.1 of [I-D.ietf-rats-eat] for a
   description of this claim.  Three types of UEIDs are defined, which
   are distinguished via a type field.

   The ueid claim is defined as follows:

      id-ce-evidence-ueid OBJECT IDENTIFIER ::=
            { id-ce TBD_evidence TBD_ueid }

      claim_ueid ::= SEQUENCE {
          type    INTEGER ( RAND(1), EUI(2), IMEI(3),...),
          value   OCTET STRING
      }

Ounsworth, et al.         Expires 14 April 2025                 [Page 9]
Internet-Draft       PKI-based Attestation Evidence         October 2024

5.3.2.  sueids (Semi-permanent UEIDs) Claim (SUEIDs)

   The "sueids" claim conveys one or more semi-permanent UEIDs (SUEIDs).
   An SUEID has the same format, characteristics and requirements as a
   UEID, but MAY change to a different value on entity life-cycle events
   while the ueid claim is permanent.  An entity MAY have both a UEID
   and SUEIDs, neither, one or the other.

   There MAY be multiple SUEIDs and each has a text string label the
   purpose of which is to distinguish it from others.

   See Section 4.2.2 of [I-D.ietf-rats-eat] for a description of this
   claim.

   The sueids claim is defined as follows:

      id-ce-evidence-sueids OBJECT IDENTIFIER ::=
            { id-ce TBD_evidence TBD_sueids }

      claim_sueids ::= SEQUENCE {
          label   OCTET STRING,
          type    INTEGER ( RAND(1), EUI(2), IMEI(3),...),
          value   OCTET STRING
      }

5.3.3.  oemid (Hardware OEM Identification) Claim

   The "oemid" claim identifies the Original Equipment Manufacturer
   (OEM) of the hardware.

   See Section 4.2.3 of [I-D.ietf-rats-eat] for a description of this
   claim.

   The value of this claim depends on the type of OEMID and three types
   of IDs are defined:

   *  OEMIDs using a 128-bit random number.  Section 4.2.3.1 of
      [I-D.ietf-rats-eat] defines this type.
   *  an IEEE based OEMID using a global registry for MAC addresses and
      company IDs.  Section 4.2.3.1 of [I-D.ietf-rats-eat] defines this
      type.
   *  OEMIDs using Private Enterprise Numbers maintained by IANA.
      Section 4.2.3.3 of [I-D.ietf-rats-eat] defines this type.

   The oemid claim is defined as follows:

Ounsworth, et al.         Expires 14 April 2025                [Page 10]
Internet-Draft       PKI-based Attestation Evidence         October 2024

      id-ce-evidence-oemid OBJECT IDENTIFIER ::=
            { id-ce TBD_evidence TBD_oemid }

      claim_oemid ::= SEQUENCE {
          type    INTEGER ( PEN(1), IEEE(2), RANDOM(3),...),
          value   OCTET STRING
      }

   Editor's Note: The value for the PEN is numeric.  For the other two
   types it is a binary string.

5.3.4.  hwmodel (Hardware Model) Claim

   The "hwmodel" claim differentiates hardware models, products and
   variants manufactured by a particular OEM, the one identified by OEM
   ID.  It MUST be unique within a given OEM ID.  The concatenation of
   the OEM ID and "hwmodel" give a global identifier of a particular
   product.  The "hwmodel" claim MUST only be present if an "oemid"
   claim is present.

   See Section 4.2.4 of [I-D.ietf-rats-eat] for a description of this
   claim.

   The hwmodel claim is defined as follows:

      id-ce-evidence-hwmodel OBJECT IDENTIFIER ::=
            { id-ce TBD_evidence TBD_hwmodel }

      claim_hwmodel ::= OCTET STRING

5.3.5.  hwversion (Hardware Version) Claim

   The "hwversion" claim is a text string the format of which is set by
   each manufacturer.  A "hwversion" claim MUST only be present if a
   "hwmodel" claim is present.

   See Section 4.2.5 of [I-D.ietf-rats-eat] for a description of this
   claim.

   The hwversion claim is defined as follows:

      id-ce-evidence-hwversion OBJECT IDENTIFIER ::=
            { id-ce TBD_evidence TBD_hwwversion }

      hwversion ::= OCTET STRING

5.4.  Environment Identifier

Ounsworth, et al.         Expires 14 April 2025                [Page 11]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   EnvID EVIDENCE-CLAIM ::= UTF8String IDENTIFIED BY TBD

   This claim MAY be used to identify a partition within a cryptographic
   device, or a logical environment that spans multiple cryptographic
   devices such as a Security World or a cloud tenant.  The format of
   these identifiers will be vendor or environment specific.

5.5.  Software Identifier

   Swname EVIDENCE-CLAIM ::= UTF8String IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.6
   Swversion EVIDENCE-CLAIM ::= UTF8String IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.7

   SwName and Swversion together identify the device firmware and SHOULD
   match the way the firmware is identified in relevant endorsements,
   such as published FIPS or Common Criteria certificates.

5.6.  OEM Boot

   Oemboot EVIDENCE-CLAIM ::= BOOLEAN IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.8

5.7.  Dbgstat (Debug Status)

   The "dbgstat" claim applies to entity-wide or submodule-wide debug
   facilities and diagnostic hardware built into chips.  It applies to
   any software debug facilities related to privileged software that
   allows system-wide memory inspection, tracing or modification of non-
   system software like user mode applications.

   See Section 4.2.9 of [I-D.ietf-rats-eat] for a description of this
   claim and the semantic of the values in the enumerated list.

   The dbgstat claim is defined as follows:

   Dbgstat EVIDENCE-CLAIM ::= CHOICE {
       enabled                         [0] IMPLICIT NULL,
       disabled                        [1] IMPLICIT NULL,
       disabled-Since-Boot             [2] IMPLICIT NULL,
       disabled-Permanently            [3] IMPLICIT NULL,
       disabled-Fully-and-Permanently  [4] IMPLICIT NULL
   }
     -- semantics defined in rats-eat-4.2.9

5.8.  Location

Ounsworth, et al.         Expires 14 April 2025                [Page 12]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Location EVIDENCE-CLAIM ::= ???? IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.10

   Most HSMs will likely not know their own physical location, but
   cryptographic modules on mobile devices may.

5.9.  Uptime

   The "uptime" claim contains the number of seconds that have elapsed
   since the entity or submodule was last booted.

   Uptime EVIDENCE-CLAIM ::= INTEGER IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.11

5.10.  Bootcount {sect-bootcount}

   The "bootcount" claim contains a count of the number times the entity
   or submodule has been booted.  Support for this claim requires a
   persistent storage on the device.

   Bootcount EVIDENCE-CLAIM ::= INTEGER IDENTIFIER BY TBD
     -- semantics defined in rats-eat-4.2.12

5.11.  Bootseed

   The "bootseed" claim contains a value created at system boot time
   that allows differentiation of attestation reports from different
   boot sessions of a particular entity (e.g., a certain UEID).

   This value is usually public.  It is not a secret and MUST NOT be
   used for any purpose that a secret seed is needed, such as seeding a
   random number generator.

   Bootseed EVIDENCE-CLAIM ::= BIT STRING IDENTIFIED BY TBD
     -- semantics defined in rats-eat-4.2.13

5.12.  dloas (Digital Letters of Approval)

   The "dloas" claim conveys one or more Digital Letters of Approval
   (DLOAs).  A DLOA is a document that describes a certification that an
   entity has received.  Examples of certifications represented by a
   DLOA include those issued by Global Platform and those based on
   Common Criteria.  The DLOA is unspecific to any particular
   certification type or those issued by any particular organization.

Ounsworth, et al.         Expires 14 April 2025                [Page 13]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Dloas EVIDENCE-CLAIM ::= SEQUENCE SIZE (1..MAX) OF Dloa

   Dloa ::= SEQUENCE IDENTIFIED BY TBD {
       dloaRegistrar IA5STRING,
       dloaPlatformLabel UTF8STRING,
       dloaApplicationLabal [0] IMPLICIT UTF8String OPTIONAL
   }
     -- semantics defined in rats-eat-4.2.14

5.13.  Endorsements

   This claim allows referencing third party endorsements; for example
   from the device vendor or a certification such as FIPS or Common
   Criteria.  The content MAY be referenced by URI, or placed directly
   inline, but either way, the endorsement content or its URI MUST be
   known by the attester at the time that the evidence is generated.

   Endorsements EVIDENCE-CLAIM ::= SEQUENCE SIZE (1..MAX) OF Endorsement

   Endorsement ::= CHOICE IDENTIFIED BY TBD {
       uri     [0] IMPLICIT IA5String,
       content [1] IMPLICIT OCTET STRING
   }

   EDNOTE: this needs a bit of thought about what types of endorsements
   we will likely see, and whether OCTET STRING is the right format.

5.14.  Manifests

   TODO -- rats-eat-4.2.15

5.15.  Measurements

   TODO -- rats-eat-4.2.16

5.16.  Measres (Software Measurement Results)

   TODO -- rats-eat-4.2.17

5.17.  Submods (Submodules)

   TODO -- rats-eat-4.2.18

5.18.  iat (Issuance Time)

   The time at which the evidence was created.  Here we differ from the
   iat claim in rats-eat-4.3.1 in that we use the PKIX time format Time
   instead of the 64-bit CBOR time structure.

Ounsworth, et al.         Expires 14 April 2025                [Page 14]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Iat EVIDENCE-CLAIM ::= Time

   It is recognized that many HSMs, especially if air-gapped, will not
   have an accurate system clock.  If the system is not anticipated to
   have a reliable clock, then this claim SHOULD be omitted and the
   Nonce claim used instead.

5.19.  intuse (Intended Use)

   Intuse EVIDENCE-CLAIM ::= CHOICE IDENTIFIED BY TBD {
       generic              [1] IMPLICIT NULL,
       registration         [2] IMPLICIT NULL,
       provisioning         [3] IMPLICIT NULL,
       certificateIssuance  [4] IMPLICIT NULL,
       proofOfPossession    [5] IMPLICIT NULL
   }
     -- semantics defined in rats-eat-4.3.3

   Note: tags intentionally started at 1 to align with EAT.  If the IANA
   registry of intended use claims is extended, then the this CHOICE MAY
   be extended using the same tag values as indicated in the EAT
   registry.

5.20.  FipsMode

   The cryptographic module was booted in FIPS mode, including the
   required self-tests and any other requiremnts of its FIPS
   certificate.

   Note to verifiers and relying parties: "FIPS Mode" does not imply
   "FIPS Certified".  For example, a device may have a FIPS Mode even if
   the device was never submitted for FIPS certification.  This claim
   SHOULD only be taken in conjunction with a valid FIPS certification
   for this hardware and software version, and appraising any other
   claims as required by the FIPS certification.

   FipsMode EVIDENCE-CLAIM ::= BOOLEAN IDENTIFIED BY TBD

5.21.  VendorInfo

   This claim provides a place for vendor to place propriatary data;
   i.e. any proprietary data that does not fit in any other claim.

   VendorInfo ::= TYPE-IDENTIFIER IDENTIFIED BY TBD

   Vendors must specify an OID and data type for their VendorInfo, and
   communicate this to verifiers who wish to parse this data.

Ounsworth, et al.         Expires 14 April 2025                [Page 15]
Internet-Draft       PKI-based Attestation Evidence         October 2024

5.22.  NestedEvidences

   NestedEvidences EVIDENCE-CLAIM ::= SEQUENCE OF PkixEvidenceStatement IDENTIFIED BY TBD

   Composite devices may produce multiple signed evidence statements
   that need to be signed in a hiearchical manner.
   PkixEvidenceStatements MAY be nested.

5.23.  Nonce

   The "nonce" claim is used to provide freshness.

   The Nonce claim is used to carry the challenge provided by the caller
   to demonstrate freshness of the generated token.  The following
   constraints apply to the nonce-type:

   *  The length must be reasonable as it may be processed by end
      entities with limited resources.  Therefore, it is RECOMMENDED
      that the length does not exceed 64 bytes.
   *  Only a single nonce value is conveyed.

   The nonce claim is defined as follows:

   Nonce EVIDENCE-CLAIM ::= OCTET STRING IDENTIFIED BY TBD

   See Section 4.1 of [I-D.ietf-rats-eat] for a description of this
   claim.

5.24.  KeyId

   An identifier for the subject key.  The format MAY be vendor-
   specific, but MUST be an ASCII value (IA5String).

   KeyId EVIDENCE-CLAIM ::= IA5String IDENTIFIED BY TBD

5.25.  PubKey

   The subject public key being attested by this evidence.

   PubKey EVIDENCE-CLAIM ::= OCTET STRING IDENTIFIED BY TBD

5.26.  Purpose

   TODO: align with PKCS#11 Purposes

Ounsworth, et al.         Expires 14 April 2025                [Page 16]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Purpose EVIDENCE-CLAIM ::= CHOICE IDENTIFIED BY TBD {
      ... Sign, Decrypt, Unwrap, etc..

   }

5.27.  NonExportable

   TODO align with PKCS#11

   NonExportable EVIDENCE-CLAIM ::= BOOLEAN IDENTIFIED BY TBD

5.28.  Imported

   TODO align with PKCS#11

   Imported EVIDENCE-CLAIM ::= BOOLIAN IDENTIFIED BY TBD

5.29.  KeyExpiry

   If the key has a known expiry time or "not after" date.

   KeyExpiry EVIDENCE-CLAIM ::= Time

5.30.  Unrecognized claims

   This document does not define an exhaustive list of claims.  New
   claims may be added in the future, including proprietary ones.  As
   such, parsers SHOULD expect to encounter unrecognized claims, and to
   handle them gracefully.

   In general, the correct behaviour for a verifier will be to start
   with an appraisal policy of claims to look for, and where appropriate
   the expected values (for example, FipsMode: true), and any additional
   claims that may be in the evidence SHOULD be ignored.

6.  Evidence Claims Certificate Extension

   This section specifies the syntax and semantics of the Evidence
   Claims certificate extension which provides a list of claims
   associated with the certificate subject appraised by the CA.

   The Evidence Claims certificate extension MAY be included in public
   key certificates [RFC5280].  The Evidence Claims certificate
   extension MUST be identified by the following object identifier:

        id-pe-evidenceclaims OBJECT IDENTIFIER  ::=
           { iso(1) identified-organization(3) dod(6) internet(1)
             security(5) mechanisms(5) pkix(7) id-pe(1) 34 }

Ounsworth, et al.         Expires 14 April 2025                [Page 17]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   This extension MUST NOT be marked critical.

   The Evidence Claims extension MUST have the following syntax:

   EvidenceClaims ::= SET SIZE (1..MAX) OF EVIDENCE-CLAIM

   The EvidenceClaims represents an unsigned version of the evidence
   claims appraised by the CA.  It MUST contain at least one claim.  For
   privacy reasons, the CA MAY include only a subset of the
   EvidenceClaims that were presented to it, for example in an
   EvidenceBundle in a CSR.  The CA may include in their certificate
   profile a list of verified evidence claims (identified by OID) that
   MAY be copied from the CSR to the certificate, while any other claims
   MUST NOT be copied.  By removing the signature from the evidence, the
   CA is asserting that it has has verified the Evidence to chain to a
   root that the CA trusts, but it is not required to disclose in the
   final certificate what that root is.

   See Section 8 for a discussion of privacy concerns related to re-
   publishing Evidence into a certificate.

6.1.  ASN.1 Module

   This section provides an ASN.1 Module [X.680] for the Evidence Claims
   certificate extension, and it follows the conventions established in
   [RFC5912] and [RFC6268].

Ounsworth, et al.         Expires 14 April 2025                [Page 18]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   <CODE BEGINS>
        EvidenceClaimsCertExtn
          { iso(1) identified-organization(3) dod(6) internet(1)
            security(5) mechanisms(5) pkix(7) id-mod(0)
            id-mod-evidenceclaims(TBD) }

        DEFINITIONS IMPLICIT TAGS ::=
        BEGIN

        IMPORTS
          EXTENSION
          FROM PKIX-CommonTypes-2009  -- RFC 5912
            { iso(1) identified-organization(3) dod(6) internet(1)
              security(5) mechanisms(5) pkix(7) id-mod(0)
              id-mod-pkixCommon-02(57) } ;

        -- Evidence Claims Certificate Extension

        ext-EvidenceClaims EXTENSION ::= {
          SYNTAX EvidenceClaims
          IDENTIFIED BY id-pe-evidenceclaims }

        -- EvidenceClaims Certificate Extension OID

        id-pe-evidenceclaims OBJECT IDENTIFIER ::=
           { iso(1) identified-organization(3) dod(6) internet(1)
             security(5) mechanisms(5) pkix(7) id-pe(1) 34 }

        -- Evidence Claims Certificate Extension Syntax

        EvidenceClaims ::= SET SIZE (1..MAX) OF EVIDENCE-CLAIM

        END
   <CODE ENDS>

7.  Implementation Considerations

7.1.  API for requesting evidence from an attesting device

   While it is strictly outside the scope of this document to specify
   how a calling application can request evidence from a cryptographic
   device, two modes are suggested.

Ounsworth, et al.         Expires 14 April 2025                [Page 19]
Internet-Draft       PKI-based Attestation Evidence         October 2024

7.1.1.  Request by ID and claim profile

   In this mode, the calling application request evidence about a given
   entity -- for example, a given EnvID or a given KeyID -- and the
   cryptographic device assembles a PkixEvidenceStatement containing as
   many claims as it is able to populate.  Implementers may have named
   evidence profiles if it is desirable for the cryptographic device to
   respond with multiple different sets of claims.

7.1.2.  Request by claim set

   In this mode, the calling application pre-constructs a sequence of
   EVIDENCE-CLAIM which is passed in to the attesting device.  As a
   response, the attesting device returns a structure of type
   PkixEvidenceStatement which includes all the expected signatures.

   This mode is useful for attesting devices with more resources and
   used in situations where the supported evidence profiles may not be
   known during implementation.

   It is left to the implementer to choose the way that the desired
   claims are submitted to the attesting device, including which types
   of claims are recognized and how much information is provided by the
   caller.

   However, when using this mode: - an attesting device MUST reject the
   production of a PkixEvidenceStatement if any requested claim is not
   recognized; and, - an attesting device MUST reject the production of
   a PkixEvidenceStatement if any requested claim is not supported by
   the observed state (claim is deemed false).

   The use of this mode implies that the attesting device contains the
   logic necessary to interpret and verify the submitted claims.

8.  Privacy Considerations

8.1.  Publishing Evidence in a certificate

   The extension MUST NOT publish in the certificate any privacy-
   sensitive information that could compromise the end device.  What
   counts as privacy-sensitive will vary by use case.  For example,
   consider a few scenarios:

   First, consider a Hardware Security Module (HSM) backing a public
   code-signing service.  The model and firmware patch level could be
   considered sensitive as it could give an attacker an advantage in
   exploiting known vulnerabilities against un-patched systems.

Ounsworth, et al.         Expires 14 April 2025                [Page 20]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Second, consider a certificate issued to a end-user mobile computing
   device, any sort of unique identifier could be used as a super-cookie
   for tracking purposes.

   Third, consider small IoT devices such as un-patchable wireless
   sensors.  Here there may be no privacy concerns and in fact knowing
   exact hardware and firmware version information could help edge
   gateways to deny network access to devices with known
   vulnerabilities.

   Beyond that, a CA MUST have a configurable mechanism to control which
   information is to be copied from the provided Evidence into the
   certificate, for example this could be configured within a
   certificate profile or Certificate Practice Statement (CPS) and this
   must be considered on a case-by-base basis.  To protect end-user
   privacy, CA operators should err on the side of caution and exclude
   information that is not clearly essential for security verification
   by relying parties.  Avoiding unnecessary claims also mitigates the
   risk of targeted attacks, where an attacker could exploit knowledge
   of hardware versions, models, etc.

9.  Security Considerations

   This specification re-uses the claims from the EAT specification and
   relies on the security protection offered by digital signatures.
   This digital signature is computed with the Attestation Key available
   on the device, see Section 12.1 of [RFC9334] for considerations
   regarding the generation, the use and the protection of these
   Attestation Keys.  Since the Attester located at the end entity
   creates the Evidence with claims defined in this document.  This
   document inherits the remote attestation architecture described in
   [RFC9334].  With the re-use of the claims from [I-D.ietf-rats-eat]
   the security and privacy considerations apply also to this document
   even though the encoding in this specification is different from the
   encoding of claims discussed by [I-D.ietf-rats-eat].

   Evidence contains information that may be unique to a device and may
   therefore allow to single out an individual device for tracking
   purposes.  Deployments that have privacy requirements must take
   appropriate measures to ensure that claim values can only identify a
   group of devices and that the Attestation Keys are used across a
   number of devices as well.

Ounsworth, et al.         Expires 14 April 2025                [Page 21]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   To verify the Evidence, the primary need is to check the signature
   and the correct encoding of the claims.  To produce the Attestation
   Result, the Verifier will use Endorsements, Reference Values, and
   Appraisal Policies.  The policies may require that certain claims
   must be present and that their values match registered reference
   values.  All claims may be worthy of additional appraisal.

10.  IANA Considerations

   TBD: OIDs for all the claims listed in this document.

10.1.  OIDs for Evidence Claims Certificate Extension

   For the EvidenceClaims certificate extension in Section 6, IANA is
   requested to assign an object identifier (OID) for the certificate
   extension.  The OID for the certificate extension should be allocated
   in the "SMI Security for PKIX Certificate Extension" registry
   (1.3.6.1.5.5.7.1).

   For the ASN.1 Module in Section 6.1, IANA is requested to assign an
   object identifier (OID) for the module identifier.  The OID for the
   module should be allocated in the "SMI Security for PKIX Module
   Identifier" registry (1.3.6.1.5.5.7.0).

11.  References

11.1.  Normative References

   [I-D.ietf-rats-eat]
              Lundblade, L., Mandyam, G., O'Donoghue, J., and C.
              Wallace, "The Entity Attestation Token (EAT)", Work in
              Progress, Internet-Draft, draft-ietf-rats-eat-31, 6
              September 2024, <https://datatracker.ietf.org/doc/html/
              draft-ietf-rats-eat-31>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/rfc/rfc5280>.

Ounsworth, et al.         Expires 14 April 2025                [Page 22]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC9334]  Birkholz, H., Thaler, D., Richardson, M., Smith, N., and
              W. Pan, "Remote ATtestation procedureS (RATS)
              Architecture", RFC 9334, DOI 10.17487/RFC9334, January
              2023, <https://www.rfc-editor.org/rfc/rfc9334>.

11.2.  Informative References

   [I-D.ietf-lamps-csr-attestation]
              Ounsworth, M., Tschofenig, H., Birkholz, H., Wiseman, M.,
              and N. Smith, "Use of Remote Attestation with
              Certification Signing Requests", Work in Progress,
              Internet-Draft, draft-ietf-lamps-csr-attestation-11, 18
              September 2024, <https://datatracker.ietf.org/doc/html/
              draft-ietf-lamps-csr-attestation-11>.

   [RFC2986]  Nystrom, M. and B. Kaliski, "PKCS #10: Certification
              Request Syntax Specification Version 1.7", RFC 2986,
              DOI 10.17487/RFC2986, November 2000,
              <https://www.rfc-editor.org/rfc/rfc2986>.

   [RFC4211]  Schaad, J., "Internet X.509 Public Key Infrastructure
              Certificate Request Message Format (CRMF)", RFC 4211,
              DOI 10.17487/RFC4211, September 2005,
              <https://www.rfc-editor.org/rfc/rfc4211>.

   [RFC5912]  Hoffman, P. and J. Schaad, "New ASN.1 Modules for the
              Public Key Infrastructure Using X.509 (PKIX)", RFC 5912,
              DOI 10.17487/RFC5912, June 2010,
              <https://www.rfc-editor.org/rfc/rfc5912>.

   [RFC6268]  Schaad, J. and S. Turner, "Additional New ASN.1 Modules
              for the Cryptographic Message Syntax (CMS) and the Public
              Key Infrastructure Using X.509 (PKIX)", RFC 6268,
              DOI 10.17487/RFC6268, July 2011,
              <https://www.rfc-editor.org/rfc/rfc6268>.

   [RFC9344]  Asaeda, H., Ooka, A., and X. Shao, "CCNinfo: Discovering
              Content and Network Information in Content-Centric
              Networks", RFC 9344, DOI 10.17487/RFC9344, February 2023,
              <https://www.rfc-editor.org/rfc/rfc9344>.

   [X.680]    ITU-T, "Information technology -- Abstract Syntax Notation
              One (ASN.1): Specification of basic notation", n.d.,
              <https://www.itu.int/rec/T-REC-X.680>.

Ounsworth, et al.         Expires 14 April 2025                [Page 23]
Internet-Draft       PKI-based Attestation Evidence         October 2024

Appendix A.  Acknowledgements

   This specification is the work of a design team created by the chairs
   of the LAMPS working group.  This specification has been developed
   based on discussions in that design team.

   The following persons, in no specific order, contributed to the work:
   Richard Kettlewell, Chris Trufan, Bruno Couillard, Jean-Pierre Fiset,
   Sander Temme, Jethro Beekman, Zsolt Rózsahegyi, Ferenc Pető, Mike
   Agrenius Kushner, Tomas Gustavsson, Dieter Bong, Christopher Meyer,
   Michael StJohns, Carl Wallace, Michael Ricardson, Tomofumi Okubo,
   Olivier Couillard, John Gray, Eric Amador, Johnson Darren, Herman
   Slatman, Tiru Reddy, Thomas Fossati, Corey Bonnell, Argenius Kushner,
   James Hagborg.

Appendix B.  ASN.1 Module

   TBD: Full ASN.1 goes in here.

Authors' Addresses

   Mike Ounsworth
   Entrust Limited
   2500 Solandt Road – Suite 100
   Ottawa, Ontario  K2K 3G5
   Canada
   Email: mike.ounsworth@entrust.com

   Richard Kettlewell
   Entrust Limited
   United Kingdom
   Email: Richard.Kettlewell@entrust.com

   Jean-Pierre Fiset
   Crypto4A Technologies Inc.
   1550A Laperriere Ave
   Ottawa, Ontario  K1Z 7T2
   Canada
   Email: jp@crypto4a.com

   Hannes Tschofenig
   University of Applied Sciences Bonn-Rhein-Siegx
   Email: Hannes.Tschofenig@gmx.net

Ounsworth, et al.         Expires 14 April 2025                [Page 24]
Internet-Draft       PKI-based Attestation Evidence         October 2024

   Tirumaleswar Reddy
   Nokia
   Bangalore
   Karnataka
   India
   Email: kondtir@gmail.com

   Monty Wiseman
   Beyond Identity
   United States of America
   Email: monty.wiseman@beyondidentity.com

Ounsworth, et al.         Expires 14 April 2025                [Page 25]