Add packed attestation optional firmware version attribute

index.bs

@@ -5827,23 +5827,51 @@ The attestation certificate MUST have the following fields/extensions:
     The extension MUST NOT be marked as critical.
 
     Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
-    Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:
-
-    <pre>
-  30 21                                     -- SEQUENCE
-    06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
-    04 12                                   -- OCTET STRING
-      04 10                                 -- OCTET STRING
-        cd 8c 39 5c 26 ed ee de             -- AAGUID
-        65 3b 00 79 7d 03 ca 3c
-    </pre>
+    Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid.
 
 - The Basic Constraints extension MUST have the CA component set to [FALSE].
 
-- An Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension [[RFC5280]]
-    are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata services.
-    See, for example, the FIDO Metadata Service [[FIDOMetadataService]].
-
+Additionally, an Authority Information Access (AIA) extension with entry `id-ad-ocsp` and a CRL Distribution Point extension 
+    [[RFC5280]] are both OPTIONAL as the status of many attestation certificates is available through authenticator metadata
+    services. See, for example, the FIDO Metadata Service [[FIDOMetadataService]].
+
+The firmware of a particular authenticator model MAY be differentiated using the Extension OID `1.3.6.1.4.1.45724.1.1.5` 
+    (`id-fido-gen-ce-fw-version`). When present, this attribute contains an INTEGER with a non-negative value which is incremented for new
+    firmware release versions. The extension MUST NOT be marked as critical.
+
+For example, the following is an attestation certificate containing the above extension OIDs as well as required fields:
+
+~~~ pem
+-----BEGIN CERTIFICATE----- <!-- bikeshed emdash workaround -->
+MIIBzTCCAXOgAwIBAgIUYHS3FJEL/JTfFqafuAHvlAS+hDYwCgYIKoZIzj0EAwIw
+QTELMAkGA1UEBhMCVVMxFDASBgNVBAoMC1dlYkF1dGhuIFdHMRwwGgYDVQQDDBNF
+eGFtcGxlIEF0dGVzdGF0aW9uMCAXDTI0MDEwMzE3NDUyMVoYDzIwNTAwMTA2MTc0
+NTIxWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0aG4gV0cxHDAaBgNV
+BAMME0V4YW1wbGUgQXR0ZXN0YXRpb24wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
+AATDQN9uaFFH4BKBjthHTM1drpb7gIuPod67qyF6UdL4qah6XUp6tE7Prl+DfQ7P
+YH9yMOOcci3nr+Q/jOBaWVERo0cwRTAhBgsrBgEEAYLlHAEBBAQSBBDNjDlcJu3u
+3mU7AHl9A8o8MBIGCysGAQQBguUcAQEFBAMCASowDAYDVR0TAQH/BAIwADAKBggq
+hkjOPQQDAgNIADBFAiA3k3aAUVtLhDHLXOgY2kRnK2hrbRgf2EKdTDLJ1Ds/RAIh
+AOmIblhI3ALCHOaO0IO7YlMpw/lSTvFYv3qwO3m7H8Dc
+-----END CERTIFICATE----- <!-- bikeshed emdash workaround -->
+~~~
+
+The attributes above are structured within this certificate as such:
+
+~~~ text
+30 21                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 04 -- OID 1.3.6.1.4.1.45724.1.1.4
+  04 12                                  -- OCTET STRING
+    04  10                               -- OCTET STRING
+      CD 8C 39 5C 26 ED EE DE            -- AAGUID cd8c395c-26ed-eede-653b-00797d03ca3c
+      65 3B 00 79 7D 03 CA 3C 
+
+30 12                                    -- SEQUENCE
+  06 0B 2B 06 01 04 01 82 E5 1C 01 01 05 -- OID 1.3.6.1.4.1.45724.1.1.4
+  04 03                                  -- OCTET STRING 
+    02 01                                -- INTEGER
+      2A                                 -- Firmware version: 42
+~~~
 
 ## TPM Attestation Statement Format ## {#sctn-tpm-attestation}