From 0f1fe34c28917b3221190135a080bb96c03243db Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Tue, 24 May 2016 15:28:08 +0200 Subject: [PATCH] move extensions used to other attestation doc --- doc/Attestation.adoc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/doc/Attestation.adoc b/doc/Attestation.adoc index 818d457..9f03f39 100644 --- a/doc/Attestation.adoc +++ b/doc/Attestation.adoc @@ -1,6 +1,8 @@ Using Attestation ----------------- +This feature is only available in YubiKey 4.3 and newer. + Attestation works through a special key slot called “f9” this comes pre-loaded from factory with a key and cert signed by Yubico, but can be overwritten. @@ -11,10 +13,4 @@ special key, this can be realised by using the yubico-piv-tool action attest: ... $ yubico-piv-tool --action=attest --slot=9a -The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate: - -* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0 -* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer. -* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy -** Pin policy: 01 - never, 02 - once per session, 03 - always -** Touch policy: 01 - never, 02 - always, 03 - cached for 15s +The output of this is a PEM encoded certificate, signed by the key in slot f9.