Description
Steps (1) to (4) are described as follows:
(1) The Client Instance generates a key (Client Instance Key) and
optional further attestations (that are out of scope) to prove its
authenticity to the Client Attester.(2) The Client Instance sends this data to the Client Attester in
request for a Client Attestation JWT.(3) The Client Attester validates the Client Instance Key and
optional further data. It generates a signed Client Attestation JWT
that is cryptographically bound to the Client Instance Key generated
by the Client. Therefore, the attestation is bound to this
particular Client Instance.(4) The Client Attester responds to the Client Instance by sending
the Client Attestation JWT.
Steps (1) to (4) are OPTIONAL while steps (2) and (4) are not described and hence cannot be implemented.
The current draft is only addressing a small part of the whole picture.
Alternatively, the Client instance can be installed (downloaded) with one Client Attestation JWT that is already present.
Later on, the client will need to renew its original Client Attestation JWT before it expires.
The draft should either assume that the Client Attestation JWT is already present or should describe in details how it can be obtained.
If only a rough description is provided (as it is the case for the moment for steps (1) to (4) ), steps (1) to (4) should be taken out of the figure placed on page 3 and moved into an informative annex. The same approach should be made for the other alternative when the Client Attestation JWT is already present when installing/downloading the client from a trusted source.