3.1.5.2.1.3 Processing Details

If the AttestationOperatingMode on the server is AD and received URI terminate with "/attest” or “/hostkeyattest”, the server MUST return OperationModeErrorReply to the client.

If the AttestationOperatingMode on the server is AD, the received URI terminate with "/domainattest" but the request received is not valid for AD mode, the server MUST return PayloadErrorReply to the client.

If the request received is ADRequest, the server MUST perform the following:

  • Validate the client against the SecurityGroup in an implementation-specific manner.

  • If client is part of SecurityGroup, update AttestationHealthCertificate and do the following:

    • If AttestationResultType in ADRequest is VSMIdentityEncryptionKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Encryption to the client.

    • If AttestationResultType in ADRequest is VSMIdentitySigningKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Signing to the client.

  • If the client is not part of SecurityGroup, return UnauthorizedErrorReply to the client indicating that the host is not authorized.

If the VSMIKD received is invalid, the server MUST return VirtualSecureModeErrorReply to the client.