Key Attestation significantly reduces the costs of public certificate key ceremony and key distribution and massively increases scale of digital identity applications.
Each Primus HSM is equipped with a CC EAL4+ certified keystore, protecting a factory installed root certificate and root key. The device then creates its own intermediary (device) key and its certificate is signed by the root key. The intermediary key is then used to sign attestation and timestamp key created for each partition. The attestation key is used to verify the key origin (i.e. that a new key has been generated on the particular HSM) and key attributes. The timestamp key is used for generating qualified signatures or for the applications of time-based key attributes.
This way, the digital identity applications can automatically generate identities for users or devices, and verify qualified signatures with those identities without a necessity to employ additional procedures or external authorities while guaranteeing their origin and hardware protection and at a virtually zero marginal costs and a limitless scale needed for IoT and personal identity applications.
The root certificate is available at our website and its hash at our support portal, allowing any user to verify and audit the chain of certificates.