3.2.2.6.2.1.2.6 Processing Rules for Providing a Challenge Response to an Initial Key Attestation Request

If processing for initial key attestation request, as specified in section 3.2.2.6.2.1.2.5, is successful, the CA MUST create the response as show below:

1. The CA MUST generate a random secret of 32 bytes and encrypt the secret into a challenge using the szOID_ENROLL_ATTESTATION_STATEMENT attribute.

2. The CA MUST encrypt the secret with a current CA exchange certificate private key and store it in the AttestationChallenge column of the Request table ([MS-CSRA] section 3.1.1.1.2).

3. The CA MUST set the Request_Request_Flags column to CR_FLG_CHALLENGEPENDING as specified in [MS-CSRA] section 3.1.1.1.2.

4. The CA MUST send a CMC full PKI response including a CA exchange certificate and its full chain.

5. The CA MUST also include additional attributes as specified in section 2.2.2.8.1 where pdwDisposition is set to request pending (5).