3.1.1.4.3.4.2.1 New Certificate Request with Key Attestation Statement
The request MUST be an ASN.1 DER-encoded PKCS10 request [RFC3852] that includes szOID_ENROLL_AIK_INFO, szOID_ENROLL_ATTESTATION_STATEMENT, and szOID_ENROLL_KSP_NAME attributes.
Subject-only attestation uses only the keyAttestation field in the Client_KeyAttestationStatement ADM element. The idBinding and aikOpaque fields are empty.