This document describes the format of the credential produced by the Parsec service as a key attestation credential for TPM-backed keys.
The Parsec service produces a blob of binary data as a response to a key attestation operation issued by a client. The service takes in a nonce and uses it as freshness for the two attestation tokens it produces.
The attestation token produced by Parsec is a CBOR encoded structure, namely a Combined Attestation Bundle (CAB). The full high-level format is shown below.
parsecTpmAttestation = {
"kat" => parsecTpmKeyStmtFormat,
"pat" => parsecTpmPlatStmtFormat
}
The definition of parsecTpmKeyStmtFormat can be found in
this document, while the
definition of parsecTpmPlatStmtFormat can be found in
this document.
The CAB produced by Parsec is then encapsulated in a Conceptual Message
Wrapper, which is
simply a CBOR-encoded array with the first element identifying the type of the
second element. In this specific case, the type is represented by the string
application/vnd.parallaxsecond.key-attestation.tpm, a media type string:
[
"application/vnd.parallaxsecond.key-attestation.tpm"
bytes .cbor parsecTpmAttestation
]