-
Notifications
You must be signed in to change notification settings - Fork 58
FAQ
- What is an Attestation Certificate Authority?
- What is Supply Chain Risk Management and what role does the ACA play ?
- What does the ACA do to Provision a TPM?
- Is the ACA intended for use in an operational system?
- What capabilities is the ACA missing that a traditional CA would have?
- Does the ACA support both TPM version 1.2 and TPM version 2.0?
- What Operating systems will the ACA support?
- What Operating systems will the TPM provisioner (ACA client) support?
- What devices and/or specific TPM's has the TPM provisioner been tested on?
- How can I get involved with ACA development?
- What Future capabilities are envisioned for the ACA?
The Attestation Certificate Authority (ACA) is a specialized Certificate Authority (CA) which supports the creation and issuance of an Attestation Identity Credential (AIC) per the Trusted Computing Group's specifications. The requirement for specialization is a result of the nature of the keys for which it is providing certificates, the formats of the requests and responses specified, and the details of the identity creation process that are crucial for maintaining the "chain of trust" on which the trusted use of a TPM is based.
Supply Chain Risk Management is the application of risk management processes to the movement of a product from the Original Equipment Manufacturer (OEM) to a end customer taking ownership of the product.
The ACA plays a role in the acceptance testing of the product/device after delivery of any Trusted Platform Module (TPM) enabled device. The ACA can be configured to validate both TPM Endorsement Credentials and Platform Credentials as part of the TPM provisioning process (the acceptance test) that it performs. The validation process can be used to verify the OEM of the devices and sub components in the process.
The ACA main function is to create an Attestation Identity Credential for a device holding a TPM. There are a few policy options that the ACA Portal will support:
- Validation of the TPM's Endorsement or Platform Credentials
- Validate the Endorsement Credential (typical PKI Cert validation: signatures, expiration dates, etc.)
- Validate the Platform Credential (same basic certificate validation as the Endorsement Credential)
- Check Platform Credential parameters against the device holding the TPM. (mainly motherboard and chassis serial numbers at this point).
- Check Firmware measurements provided by the OEM against the eventLog created by device startup.
No. The ACA is a proof of concept prototype that is intended to demonstrate a capability for provisioning a TPM and supporting TCG defined supply chain validation. It does not have many features that an operational CA would require.
There are many security related features that the ACA would need to incorporate that an operational CA would need such as (but not limited to):
- Support for user authentication and roles within the ACA (although this could be handled by a tomcat connector to a third party authorization service)
- Support for a a FIPS approved Hardware Security Module (HSM) (although this could be supported by a java security provider).
- Support for Attestation certificate revocation (although this could be handled by a intermediate CA)
Currently the ACA and TPM Provisioner only supports TPM 2.0 support only.
Please refer to the Supported Platform section on the installation notes page.
Please refer to the Supported Platform section on the installation notes page.
| Manufacturer | Model | TPM |
|---|---|---|
| Dell | OptiPlex 9020 | STM 1.2.1.1 |
| Dell | Latitude 5540 | STM ST33 TPHF |
| Dell | PowerEdge R640 | Nuvaton RLS NPCT |
| Dell | Precision 7520 | Nuvoton NPCT6xx |
| Dell | Optiplex 7040 | Nuvoton NPCT6xx |
| HPE | ProLiant DL360p | Infineon 1.2.3.17 |
| HP | EliteBook 850 G3 | Infineon SLB 9670 |
| HP | ZBook Studio G9 | Infineon SLB9 |
Currently we are accepting pull requests from the general public soon.
Future (planned) capabilities include:
- Security Protocols and Data Models (SPDM) support
- Network Gear (routers and switched) support