OpenPGP Attestation OID Arc

This document describes the OIDs present in the attestation certificates added to the OpenPGP module in YubiKey 5.2. For generating attestation certificates, you can use YubiKey Manager CLI (ykman) version 3.1.0 or higher.

The concept of attestation is to cryptographically certify that a certain asymmetric key has been generated on device, and not imported. This can be used to prove that no other copies of the asymmetric key exist. Yubico OIDs within the generated attestation certificate include contextual information about the device and key attested to.

Base Prefix

The values in the table are added to the Yubico OID to identify the Yubico product type.

1.3.6.1.4.1.41482

OpenPGP Arc Values

Number Description Encoding
1 Cardholder Name UTF8 String
2 Whether generated on device
Integer (0 == imported,
1 == generated)
3 Firmware version
Octet string (3 bytes),
Major, Minor, Patch, like:
040300 for 4.3.0
4
Fingerprint of the attested
key (TAG C7/C8/C9)
Octet string, 20 bytes
5
Generation date of the key
(TAG CE/CF/D0)
Octet string, 4 bytes
6
If the attested key is a SIG
key, the current value of the
Signature Counter
Integer
7 Serial number of the device Integer
8
User Interaction Flag (UIF)
if supported (TAG D6/D7/D8)

Octet string (1 byte),
00 - disabled, 01 - enabled,
02 - permanently enabled
9 Form factor
Octet string (1 byte)
00 - not specified,
01 - USB A Keychain,
02 - USB A Nano,
03 - USB C Keychain,
04 USB C Nano, 05 Lightning
10 FIPS  
11 CSPN  

Sample OID with OpenPGP Type

Full prefix 1.3.6.1.4.1.41482.5

Extensions in the generated certificate:

OID Type Description
1.3.6.1.4.1.41482.5.1 UTF-8 String Cardholder name
1.3.6.1.4.1.41482.5.2 Integer
Attested key’s source
- 0x00: imported (not
permitted)
- 0x01: generated on device
1.3.6.1.4.1.41482.5.3 Octet String (3)
YubiKey version number
ex: 050303 = 5.3.3
1.3.6.1.4.1.41482.5.4 Octet String (20) Attested key’s fingerprint
1.3.6.1.4.1.41482.5.5 Octet String (4) Attested key’s generation date
1.3.6.1.4.1.41482.5.6 Integer
Attested key’s signature
counter (if applicable)
1.3.6.1.4.1.41482.5.7 Integer
YubiKey’s serial number
1.3.6.1.4.1.41482.5.8 Octet String (1)
User Interaction Flag (UIF)
- 0x00: touch disabled
- 0x01: touch enabled
- 0x02: touch permanent
- 0x03: touch cached
- 0x04: touch permanent,
cached
1.3.6.1.4.1.41482.5.9 Octet String (1)
Form Factor
- 0x00: Unspecified
- 0x01: USB-A Keychain
- 0x02: USB-A Nano
- 0x03: USB-C Keychain
- 0x04: USB-C Nano
- 0x05: USB-C/Lightning
Keychain
1.3.6.1.4.1.41482.5.10 Octet String (1) FIPS Certified YubiKey
1.3.6.1.4.1.41482.5.11 Octet String (1) CSPN Certified YubiKey