opencomputeproject · fdamato · May 27, 2026 · xiaoyuruan · May 29, 2026 · xiaoyuruan
diff --git a/specifications/device-identity-provisioning/cddl/attested-csr-eat.cddl b/specifications/device-identity-provisioning/cddl/attested-csr-eat.cddl
@@ -0,0 +1,67 @@
+; An Attested CSR EAT is one of two variants:
+;   - A CSR response, returned for a specific KeyPairID > 0.
+;   - A keypair-inventory (discovery) response, returned when the
+;     Requester specifies KeyPairID = 0.
+cwt-attested-csr-eat =
+  cwt-attested-csr-eat-csr /
+  cwt-attested-csr-eat-inventory
+
+cwt-attested-csr-eat-csr = {
+  ; Issuer claim is StringOrURI (tstr)
+  &(iss : 1) => tstr
+
+  ; Nonce claim is nonce-type = bstr .size (8..64)
+  ? &(nonce : 10) => bstr
+
+  ; Private Claims (they have to be < -65536 for rfc8392)
+
+  ; CSR bytestring
+  &(csr: -70001) => bstr
+
+  ; Attribute List of OIDs
+  &(attrib: -70002) => [+ $key-attributes-type]
+}
+
+; Discovery response payload returned when KeyPairID = 0 in the request.
+cwt-attested-csr-eat-inventory = {
+  &(iss : 1) => tstr
+
+  ? &(nonce : 10) => bstr
+
+  ; KeyPair Inventory private claim. Each entry pairs a KeyPairID
+  ; with the list of derivation-attribute OIDs that apply to it.
+  &(keypair-inventory: -70003) => [+ keypair-inventory-entry]
+}
+
+keypair-inventory-entry = [
+  keypair-id: 1..255,
+  attributes: [+ $key-attributes-type]
+]
+
+$key-attributes-type = tagged-oid-type
+
+signed-cwt = #6.18(COSE-Sign1-attested-csr)
+
+COSE-Sign1-attested-csr = [
+  protected: bstr .cbor protected-esc-header-map
+  unprotected: unprotected-esc-header-map
+  payload: bstr .cbor cwt-attested-csr-eat 
+  signature: bstr
+]
+
+protected-esc-header-map {
+  ; Well-defined header fields
+  &(alg-id: 1) => int
+  &(content-type: 3) => tstr / int
+  &(issuer-key-id: 4) => bstr
+  ; User-defined fields
+  * cose-label => cose-value
+}
+
+unprotected-esc-header-map = {
+  ; The Attestation Key's certificate chain is NOT carried here; the
+  ; Requester retrieves it via SPDM GET_CERTIFICATE for the slot
+  ; identified by SignerSlotIDParam.
+  * cose-label => cose-value
+}
+
diff --git a/specifications/device-identity-provisioning/cddl/envelope-signed-csr-eat.cddl b/specifications/device-identity-provisioning/cddl/envelope-signed-csr-eat.cddl
diff --git a/specifications/device-identity-provisioning/diag/attested-csr-eat-example.diag b/specifications/device-identity-provisioning/diag/attested-csr-eat-example.diag
@@ -0,0 +1,61 @@
+; ----------------------------------------------------------------------
+; Example: CSR response (returned when the Requester sent
+; GET_ATTESTED_CSR with a specific KeyPairID > 0). The payload
+; carries the CSR for the selected keypair along with the derivation-
+; attribute OIDs that apply to it.
+; ----------------------------------------------------------------------
+
+signed-cwt / 18([
+  / protected / <<{
+    / alg-id / 1 : 7,
+    / content-type / 3 : "application/eat+cbor",
+    ; SHA-384 digest of the Attestation Key (i.e. the SPDM Signing Key)
+    ; that produced this envelope signature.
+    / kid / 4 : h'1a2b3c4d5e6f70819203a4b5c6d7e8f900112233445566778899aabbccddeeff00112233445566778899aabbccddeeff'
+  }>>,
+  / unprotected / {},
+/ payload / <<{
+      / iss / 1 : "RT Alias Key",
+      / nonce / 10: h'AAAABBBBAAAABBBBAAAABBBB', 
+      / csr / -70001 :  h'59025630820252308201d9a003020102021431a4e0',
+      / attrib / -70002: [
+      / tagged-oid-type / 111(h'6086480186F84D010F046301')
+      ]
+  }>>,
+  / signature / h'FA45AAB345AB4988' 
+])
+
+; ----------------------------------------------------------------------
+; Example: discovery response (returned when the Requester sent
+; GET_ATTESTED_CSR with KeyPairID = 0). The payload omits the
+; CSR/attrib claims and instead carries the KeyPair Inventory claim,
+; which enumerates every supported KeyPairID and its derivation OIDs.
+; ----------------------------------------------------------------------
+
+signed-cwt / 18([
+  / protected / <<{
+    / alg-id / 1 : 7,
+    / content-type / 3 : "application/eat+cbor",
+    ; SHA-384 digest of the Attestation Key (i.e. the SPDM Signing Key)
+    ; that produced this envelope signature.
+    / kid / 4 : h'1a2b3c4d5e6f70819203a4b5c6d7e8f900112233445566778899aabbccddeeff00112233445566778899aabbccddeeff'
+  }>>,
+  / unprotected / {},
+  / payload / <<{
+      / iss / 1 : "RT Alias Key",
+      / nonce / 10 : h'AAAABBBBAAAABBBBAAAABBBB',
+      / keypair-inventory / -70003 : [
+        ; KeyPairID 1: IDevID, derived from First Mutable Code
+        [ 1, [ 111(h'6086480186F84D010F040602') ] ],
+        ; KeyPairID 2: LDevID, derived from Owner Entropy Fuse +
+        ;                      First Mutable Code
+        [ 2, [
+            111(h'6086480186F84D010F040601'),
+            111(h'6086480186F84D010F040602')
+        ] ],
+        ; KeyPairID 3: Owner-provisioned alias key
+        [ 3, [ 111(h'6086480186F84D010F040604') ] ]
+      ]
+  }>>,
+  / signature / h'FA45AAB345AB4988'
+])
diff --git a/specifications/device-identity-provisioning/diag/envelope-signed-csr-eat-example.diag b/specifications/device-identity-provisioning/diag/envelope-signed-csr-eat-example.diag
diff --git a/...g/diagrams/envelope_signed_csr.drawio.svg → ...isioning/diagrams/attested_csr.drawio.svg b/...g/diagrams/envelope_signed_csr.drawio.svg → ...isioning/diagrams/attested_csr.drawio.svg
diff --git a/...ope_signed_csr_non_self_signed.drawio.svg → ...s/attested_csr_non_self_signed.drawio.svg b/...ope_signed_csr_non_self_signed.drawio.svg → ...s/attested_csr_non_self_signed.drawio.svg