3.1.5.3.1.3 Processing Details

If the AttestationOperatingMode on the server is HostKey and received URI terminate with "/attest” or “/domainattest”, the server MUST return OperationModeErrorReply to the client.

If the AttestationOperatingMode on the server is HostKey, AttestationProvidedContentType in the request do not contain VirtualSecureModeIdentityKey, HostKeyPublicKey, and HostKeySignature, but the URI terminate with “/hostkeyattest”, the server MUST return PayloadErrorReply to the client.

If the request received is AttestationRequest, the server MUST perform the following:

The server MUST validate the HostKeyPublicKey against the list of authorized host keys on the server in an implementation-specific manner. If the key is valid, the HostKeySignature is validated against the HostKeyPublicKey.

If validation is successful, update AttestationHealthCertificate and do the following:

• If AttestationResultType in AttestationRequest is VSMIdentityEncryptionKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Encryption to the client.

• If AttestationResultType in AttestationRequest is VSMIdentitySigningKeyCertificate (as specified in section 2.2.1.3), return HealthCertificateReply in the form of certified Virtual Secure Mode Identity Key for Signing to the client.

Otherwise, return UnauthorizedErrorReply to the client indicating that the host is not authorized.