Extensible Key Attestation for Cryptographic Modules (G31b)
Recently, there has been a renewed interest in key attestation with the requirements from the Certificate Authority/Browser (CA/B) Forum to have code signing keys stored in hardware security modules (HSMs). Establishing traceability in cloud deployments, particularly those involving multiple vendors, can be difficult. This discussion outlines the design challenges that key attestation protocols face in supporting PQC algorithms, evolving security policies, and cloud deployments. It proposes several guiding principles to address those challenges. Finally, an extensible approach to key attestation is outlined.