OpenPGP Attestation OID Arc
This document describes the OIDs present in the attestation certificates added to the OpenPGP module in YubiKey 5.2. For generating attestation certificates, you can use YubiKey Manager CLI (ykman) version 3.1.0 or higher.
The concept of attestation is to cryptographically certify that a certain asymmetric key has been generated on device, and not imported. This can be used to prove that no other copies of the asymmetric key exist. Yubico OIDs within the generated attestation certificate include contextual information about the device and key attested to.
Base Prefix
The values in the table are added to the Yubico OID to identify the Yubico product type.
1.3.6.1.4.1.41482
OpenPGP Arc Values
| Number | Description | Encoding |
|---|---|---|
| 1 | Cardholder Name | UTF8 String |
| 2 | Whether generated on device | Integer (0 == imported,
1 == generated)
|
| 3 | Firmware version | Octet string (3 bytes),
Major, Minor, Patch, like:
040300 for 4.3.0
|
| 4 | Fingerprint of the attested
key (TAG C7/C8/C9)
|
Octet string, 20 bytes |
| 5 | Generation date of the key
(TAG CE/CF/D0)
|
Octet string, 4 bytes |
| 6 | If the attested key is a SIG
key, the current value of the
Signature Counter
|
Integer |
| 7 | Serial number of the device | Integer |
| 8 | User Interaction Flag (UIF)
if supported (TAG D6/D7/D8)
|
Octet string (1 byte),
00 - disabled, 01 - enabled,
02 - permanently enabled
|
| 9 | Form factor | Octet string (1 byte)
00 - not specified,
01 - USB A Keychain,
02 - USB A Nano,
03 - USB C Keychain,
04 USB C Nano, 05 Lightning
|
| 10 | FIPS | |
| 11 | CSPN |
Sample OID with OpenPGP Type
Full prefix 1.3.6.1.4.1.41482.5
Extensions in the generated certificate:
| OID | Type | Description |
|---|---|---|
| 1.3.6.1.4.1.41482.5.1 | UTF-8 String | Cardholder name |
| 1.3.6.1.4.1.41482.5.2 | Integer | Attested key’s source
- 0x00: imported (not
permitted)
- 0x01: generated on device
|
| 1.3.6.1.4.1.41482.5.3 | Octet String (3) | YubiKey version number
ex: 050303 = 5.3.3
|
| 1.3.6.1.4.1.41482.5.4 | Octet String (20) | Attested key’s fingerprint |
| 1.3.6.1.4.1.41482.5.5 | Octet String (4) | Attested key’s generation date |
| 1.3.6.1.4.1.41482.5.6 | Integer | Attested key’s signature
counter (if applicable)
|
| 1.3.6.1.4.1.41482.5.7 | Integer | YubiKey’s serial number
|
| 1.3.6.1.4.1.41482.5.8 | Octet String (1) | User Interaction Flag (UIF)
- 0x00: touch disabled
- 0x01: touch enabled
- 0x02: touch permanent
- 0x03: touch cached
- 0x04: touch permanent,
cached
|
| 1.3.6.1.4.1.41482.5.9 | Octet String (1) | Form Factor
- 0x00: Unspecified
- 0x01: USB-A Keychain
- 0x02: USB-A Nano
- 0x03: USB-C Keychain
- 0x04: USB-C Nano
- 0x05: USB-C/Lightning
Keychain
|
| 1.3.6.1.4.1.41482.5.10 | Octet String (1) | FIPS Certified YubiKey |
| 1.3.6.1.4.1.41482.5.11 | Octet String (1) | CSPN Certified YubiKey |