Doing Key Attestation Inside a FIPS Boundary and CA/B Forum BRs (G30c)
New CA/Browser Forum Baseline Requirements (effective June 1, 2023) require CAs to verify key residency in a FIPS 140-2 level 2 or Common Criteria EAL 4+ module prior to issuing a publicly-trusted code-signing certificate. There is a critical lack of standardized key attestation automation, leading to highly manual verification processes. This talk will outline lessons learned from the first 3 months of living under these BRs as well as a new (proposed) IETF key attestation format which is entirely X.509-based and easy to implement within existing cryptographic modules.