OpenPGP Attestation OID Arc

This document describes the OIDs present in the attestation certificates added to the OpenPGP module in YubiKey 5.2. For generating attestation certificates, you can use YubiKey Manager CLI (ykman) version 3.1.0 or higher.

The concept of attestation is to cryptographically certify that a certain asymmetric key has been generated on device, and not imported. This can be used to prove that no other copies of the asymmetric key exist. Yubico OIDs within the generated attestation certificate include contextual information about the device and key attested to.

Base Prefix

The values in the table are added to the Yubico OID to identify the Yubico product type.

OpenPGP Arc Values

Number Description Encoding
1 Cardholder Name UTF8 String
2 Whether generated on device
Integer (0 == imported,
1 == generated)
3 Firmware version
Octet string (3 bytes),
Major, Minor, Patch, like:
040300 for 4.3.0
Fingerprint of the attested
key (TAG C7/C8/C9)
Octet string, 20 bytes
Generation date of the key
Octet string, 4 bytes
If the attested key is a SIG
key, the current value of the
Signature Counter
7 Serial number of the device Integer
User Interaction Flag (UIF)
if supported (TAG D6/D7/D8)

Octet string (1 byte),
00 - disabled, 01 - enabled,
02 - permanently enabled
9 Form factor
Octet string (1 byte)
00 - not specified,
01 - USB A Keychain,
02 - USB A Nano,
03 - USB C Keychain,
04 USB C Nano, 05 Lightning
10 FIPS  
11 CSPN  

Sample OID with OpenPGP Type

Full prefix

Extensions in the generated certificate:

OID Type Description UTF-8 String Cardholder name Integer
Attested key’s source
- 0x00: imported (not
- 0x01: generated on device Octet String (3)
YubiKey version number
ex: 050303 = 5.3.3 Octet String (20) Attested key’s fingerprint Octet String (4) Attested key’s generation date Integer
Attested key’s signature
counter (if applicable) Integer
YubiKey’s serial number Octet String (1)
User Interaction Flag (UIF)
- 0x00: touch disabled
- 0x01: touch enabled
- 0x02: touch permanent
- 0x03: touch cached
- 0x04: touch permanent,
cached Octet String (1)
Form Factor
- 0x00: Unspecified
- 0x01: USB-A Keychain
- 0x02: USB-A Nano
- 0x03: USB-C Keychain
- 0x04: USB-C Nano
- 0x05: USB-C/Lightning
Keychain Octet String (1) FIPS Certified YubiKey Octet String (1) CSPN Certified YubiKey