From c28d88a1d95989017acd64a1ecf78e0bfd1334a4 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 31 Mar 2016 13:34:54 +0200 Subject: [PATCH] add some documentation for attestation --- doc/Attestation.adoc | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 doc/Attestation.adoc diff --git a/doc/Attestation.adoc b/doc/Attestation.adoc new file mode 100644 index 0000000..818d457 --- /dev/null +++ b/doc/Attestation.adoc @@ -0,0 +1,20 @@ +Using Attestation +----------------- + +Attestation works through a special key slot called “f9” this comes +pre-loaded from factory with a key and cert signed by Yubico, but can be +overwritten. +After a key has been generated in a normal slot it can be attested by this +special key, this can be realised by using the yubico-piv-tool action attest: + + $ yubico-piv-tool --action=generate --slot=9a + ... + $ yubico-piv-tool --action=attest --slot=9a + +The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate: + +* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0 +* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer. +* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy +** Pin policy: 01 - never, 02 - once per session, 03 - always +** Touch policy: 01 - never, 02 - always, 03 - cached for 15s