Hardware Attestation for Email Sender Verification

1.1. Design Principles

The following principles guide the design of this specification and are referenced throughout the document:¶

Automated-Sender Focus

This specification targets AI agents, bots, and autonomous systems. It is not intended for individual human users (see Section 3). The privacy trade-offs are acceptable for automated senders but disproportionate for human correspondence.¶

Transport Independence

The attestation formats defined herein -- the CMS attestation bundle and the SD-JWT trust proof -- are self-contained data structures that can be carried in any protocol capable of transporting octet strings. This document specifies the email transport binding; Appendix D discusses applicability to HTTP and other protocols.¶

Federated Issuance

Any organisation that owns a DNS domain can operate as an Issuer. No central authority or coordination is required beyond DNS ownership. This mirrors the federated model of email itself (see Section 4.5).¶

Inclusive Trust Tiers

Agents with genuine hardware security components receive the highest trust, but agents with virtual hardware or software-only keys can still participate at lower trust tiers, building reputation over time. This inclusivity avoids an all-or-nothing barrier to adoption.¶

Reputation as the Goal

Sybil resistance is a means, not an end. The persistent, hardware-anchored identities defined here exist to enable receiving systems to build and query reputation over time, rewarding good behaviour and flagging bad.¶

Dual Trust Anchors

Both attestation modes deliberately provide the agent identity (aid) and the hardware certificate or fingerprint together. Verifiers MAY choose which anchor to use as their basis for trust decisions: the identity is the primary key for reputation tracking and persists across hardware migrations, while the hardware fingerprint is IdP-independent and verifiable offline against manufacturer root CAs. Some verifiers will prefer the identity (for accumulated reputation), others will prefer the hardware (for IdP-independent assurance or cross-IdP correlation), and high-assurance scenarios may require both. This dual provision is intentional, not redundant.¶

1.2. Requirements Language

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶

1.3. Terminology

Hardware Attestation Mechanism

A tamper-resistant hardware or firmware component capable of protecting private keys and producing cryptographic attestation statements verifiable to a manufacturer or platform Certificate Authority. Examples include TPM 2.0 devices (discrete and firmware), PIV tokens (e.g., YubiKey), and virtual TPMs. This document also accommodates software-managed keys at a lower trust tier for agents that lack hardware security components but wish to participate in the reputation ecosystem.¶

TPM

Trusted Platform Module, as specified by the Trusted Computing Group (TCG) [TCG-TPM2]. This document assumes TPM 2.0. A TPM may be a discrete chip, a firmware implementation (Intel PTT, AMD fTPM), or a virtual instance provided by a hypervisor.¶

EK

Endorsement Key. A unique RSA or ECC key pair generated inside the TPM at manufacturing time, as profiled in [TCG-EK-PROFILE]. The EK private key never leaves the TPM. The EK certificate is signed by the chip manufacturer's CA and serves as the persistent hardware identity for the device.¶

AK

Attestation Key. A signing key created inside a hardware security component, certified against the device's identity key (EK for TPM, attestation certificate for PIV) to prove it resides in the same device. In this specification, the AK SHOULD be created as a transient object and SHOULD NOT be persisted in non-volatile storage, to avoid consuming limited hardware resources. See Section 4.4.¶

Identity Certificate

The manufacturer-issued certificate that identifies a specific hardware security component. For TPMs, this is the EK certificate. For PIV tokens, this is the device attestation certificate. The SHA-256 hash of the SubjectPublicKeyInfo DER encoding from this certificate serves as the hardware fingerprint. The fingerprint is derived from the public key structure rather than the certificate as a whole, so that the fingerprint remains stable if the manufacturer reissues the certificate (e.g., to extend validity or update metadata) without changing the underlying key pair.¶

Manufacturer CA

The Certificate Authority operated by the hardware manufacturer (e.g., Intel, AMD, Infineon, Yubico) that signs identity certificates. Root CA certificates are publicly available.¶

Agent Identity

A persistent, globally unique identifier for an autonomous agent, expressed as a URN in the "aid" namespace (Section 4.1). Agent identities are assigned by issuers and are bound to specific hardware via the issuer's anti-Sybil registry.¶

Issuer

An entity that verifies hardware attestation evidence, maintains an anti-Sybil registry (ensuring one hardware device maps to at most one identity), and issues trust assertions (e.g., SD-JWTs) about enrolled agents. An Issuer is OPTIONAL for Mode 1 (Direct Hardware Attestation) and REQUIRED for Mode 2 (SD-JWT Trust Proof). See Section 4.5 for discovery and the federated issuance model.¶

Trust Tier

A classification of an agent's hardware trust level, assigned by an Issuer. Defined tiers are grouped into three compatibility classes, ordered from strongest to weakest anti-Sybil resistance: (a) "sovereign" (genuine non-virtual hardware TPM or discrete security chip) and "portable" (PIV smart card such as YubiKey) -- manufacturer-attested, persistent identity; (b) "virtual" (hypervisor-provided virtual TPM) and "enclave" (hardware enclave such as Apple Secure Enclave) -- key isolation without anti-Sybil guarantee, as both device types can be re-keyed at will; (c) "declared" (software-only key, no hardware attestation). Verifiers use trust tiers to apply differentiated policy. For identities with multiple enrolled devices of different types, Issuers that support multi-device identities MAY report the trust tier of the device used for the most recent attestation rather than a static assignment. Verifiers SHOULD therefore expect the same agent identity URN to appear with different trust tier values over time.¶

Sybil Attack

An attack where a single adversary creates many pseudonymous identities to subvert a reputation or trust system.¶

4.1. Agent Identity Format

Agent identities in this specification use the URN format defined in [RFC8141] with the "aid" (Agent Identity) namespace identifier.¶

aid-urn          = "urn:aid:" issuer-namespace ":" agent-id

issuer-namespace = dns-label *("." dns-label)
dns-label        = let-dig *(let-dig-hyp) let-dig / let-dig
let-dig          = ALPHA / DIGIT
let-dig-hyp      = ALPHA / DIGIT / "-"

agent-id         = dns-label

The issuer-namespace uses reverse DNS notation to identify the organisation that enrolled the agent and verified its hardware. The agent-id is assigned by the Issuer and MUST be unique within that Issuer's namespace.¶

The agent-id MUST conform to DNS label syntax ([RFC1035] Section 2.3.1): lowercase ASCII letters, digits, and hyphens, not beginning or ending with a hyphen, maximum 63 octets. Internationalised agent identifiers MUST use the "xn--" ACE prefix encoding defined in [RFC5891]. Underscores MUST NOT appear in the agent-id.¶

Examples:¶

• urn:aid:com.1id:1id-ty62muvf¶
• urn:aid:com.anthropic:claude-prod-7x9k¶
• urn:aid:io.openai:gpt4-instance-42¶

URN equivalence follows [RFC8141] Section 3: the "urn" scheme and "aid" NID are case-insensitive; the issuer-namespace and agent-id are case-sensitive (and MUST be lowercase).¶

Agent identities are persistent by design: an Issuer MUST NOT reassign an agent-id to a different entity, even after the original identity is revoked or expired. This persistence is essential for reputation systems that accumulate trust signals over the lifetime of an identity. See Section 4.2 for the rules governing the relationship between agent identities and hardware devices.¶

4.2. Identity-to-Hardware Cardinality

The agent identity URN (aid) and the hardware fingerprint serve as dual trust anchors (see "Dual Trust Anchors" in Section 1.1). The aid is the primary, stable identifier for reputation tracking. The hardware fingerprint anchors the identity to physical hardware and is independently verifiable against manufacturer root CAs. Both are provided together in attestation headers so that verifiers may choose which anchor to base trust decisions on. The relationship between these two identifiers is governed by the following rules:¶

Many hardware devices MAY back one agent identity

An Issuer MAY bind additional hardware devices to an existing agent identity over time, to support legitimate hardware migration (e.g., retiring old servers, replacing failed TPMs), secure backup and recovery (e.g., a YubiKey stored in a safe), or adding capacity for a high-volume sending agent. This does not amplify reputation: a single agent identity has a single reputation regardless of how many devices back it. If the identity is flagged for abuse, all devices associated with it are equally affected. The Issuer SHOULD require the agent to prove control of the existing identity (e.g., by signing with the previously enrolled hardware) before accepting a new device. Verifiers that track both the aid and the hardware fingerprint SHOULD expect that a given aid may appear with different hardware fingerprints over its lifetime.¶

Each device bound to an agent identity is permanently associated with that identity. An Issuer MAY disable a device (preventing it from producing valid attestations) but MUST NOT remove the device-to-identity binding. A disabled device remains counted against the identity and MUST NOT be re-enrolled under any other agent-id, even after disablement. This permanence prevents reputation laundering via device recycling.¶

An Issuer MUST enforce trust tier compatibility when binding additional devices: all hardware devices backing a single agent identity MUST be of comparable trust tier. The defined compatibility groups are: (a) sovereign (typ=TPM) and portable (typ=PIV) are compatible and MAY back the same identity, as both provide manufacturer-attested, tamper-resistant key storage; (b) virtual (typ=VRT) and enclave (typ=ENC) are compatible and MAY back the same identity, as neither provides anti-Sybil guarantees (virtual TPMs can be instantiated freely by the hypervisor operator, and hardware enclaves lack a manufacturer attestation PKI that would prevent re-keying); (c) declared (typ=SFT) MUST NOT be bound to an identity that has any other device type. No cross-group mixing is permitted: a device from group (a) MUST NOT coexist with a device from group (b) or (c), and vice versa.¶

Upgrading an identity from a lower group to a higher group (e.g., from group (b) to group (a), or from group (c) to either hardware group) requires the permanent and mandatory burning (retirement) of ALL devices from the former group as part of the upgrade ceremony. The Issuer MUST NOT permit the identity to retain devices from both groups simultaneously at any point during or after the upgrade. Additionally, upgrades that cross group boundaries MUST include a co-presence cryptographic verification between the existing device and the new device to ensure that the same human or operator controls both. Downgrading from a higher group to a lower group (e.g., from group (a) to group (b)) is forbidden; the Issuer MUST reject any device addition that would constitute a downgrade.¶

When an identity has multiple devices of compatible but different types (e.g., one sovereign TPM and one portable PIV), the trust_tier disclosed in attestation tokens (Mode 2) or the typ parameter in attestation headers (Mode 1) reflects the specific device used for that attestation, not a static property of the identity. Verifiers SHOULD therefore expect the same agent identity URN to appear with different trust tier values across different messages.¶

One hardware device MUST NOT back multiple agent identities from the same Issuer

An Issuer MUST NOT enroll the same hardware device (identified by its identity certificate public key hash) under more than one agent-id within that Issuer's namespace. This is the fundamental anti-Sybil invariant: it ensures that creating N agent identities requires N distinct hardware devices. Issuers MUST maintain a registry mapping identity certificate public key hashes to agent-ids and MUST reject enrollment attempts that would violate this constraint. This binding is permanent: once a hardware device has been bound to an agent identity, it MUST NOT be reassigned to a different agent identity, even if it is later disabled or removed from the original identity. An Issuer MAY disable a hardware device (preventing it from being used for attestation) but MUST NOT permit that device to be enrolled under any other agent-id. This prevents reputation laundering attacks where a flagged device is removed from a bad-reputation identity and enrolled under a fresh identity.¶

Cross-Issuer binding is permitted

A single hardware device MAY be enrolled with multiple independent Issuers, each assigning its own agent-id. This is by design: Issuers are independent authorities, and the anti-Sybil invariant is scoped to a single Issuer's namespace. Cross-Issuer duplication is trivially detectable by any verifier that tracks hardware fingerprints: the same fingerprint appearing under multiple agent identities from different Issuers reveals the shared hardware. Verifiers MAY apply policy based on this signal (e.g., treating the device as lower trust if it maintains identities with many Issuers simultaneously).¶

Because the agent identity is the stable reputation anchor, verifiers SHOULD use the aid URN as the primary key for reputation systems. The hardware fingerprint serves as a secondary signal: it provides Sybil resistance at the hardware layer and enables reputation tracking for agents that do not present an aid.¶

4.3. Hardware Attestation Mechanisms

This specification supports multiple hardware security technologies through a common abstraction. Each mechanism provides an identity certificate and a signing capability (used for per-message attestation). For sovereign and portable tiers, the identity certificate is signed by the hardware manufacturer; for enclave and virtual tiers, the identity certificate is issued by the Issuer. The hardware type is declared in the attestation header via the "typ" parameter.¶

Additional hardware types MAY be defined in future specifications by registering new "typ" values with IANA (see Section 13).¶

For TPM-based attestation (typ=TPM), the identity certificate is the Endorsement Key (EK) certificate, provisioned at manufacturing time and stored in the TPM's non-volatile memory. The EK certificate chains to the TPM manufacturer's root CA (e.g., Intel, AMD, Infineon).¶

For PIV-based attestation (typ=PIV), the identity certificate is the device attestation certificate issued by the token manufacturer (e.g., Yubico). The signing key is a PIV authentication key resident on the token.¶

For hardware enclave attestation (typ=ENC), the signing key resides in a tamper-resistant hardware enclave integrated into the device's system-on-chip (e.g., the Secure Enclave Processor on Apple silicon). Unlike discrete TPMs and PIV tokens, hardware enclaves do not provide manufacturer-issued identity certificates with a chain to a publicly available root CA, and critically, they do not support persistent attestation identities: the enclave key can be destroyed and regenerated at will by the device owner. This means hardware enclaves provide NO anti-Sybil guarantee -- a single device can generate an unlimited number of distinct enclave keys over time. For this reason, the "enclave" trust tier is placed in the same compatibility group as virtual TPMs (typ=VRT), which share the same re-keying limitation. The identity certificate for typ=ENC is issued by the Issuer at enrollment time after verifying that the key was generated inside the enclave using a trust-on-first-use (TOFU) model. Note that the Secure Enclave performs internal hashing (ECDSA with SHA-256 over the raw input rather than a pre-hashed digest); implementations MUST pass the raw attestation-input bytes (72 bytes) to the enclave signing function, NOT the attestation-digest.¶

For virtual TPM attestation (typ=VRT), the identity certificate is the vTPM's EK certificate, signed by the hypervisor vendor's CA (e.g., VMware, Microsoft). Verifiers MUST distinguish virtual from physical hardware; see Section 8.3 for Sybil resistance implications.¶

For software-only attestation (typ=SFT), the signing key is a software-managed key pair with no hardware protection. The identity certificate is issued by the Issuer at enrollment time. Software-only attestation provides no hardware-based Sybil resistance but allows agents to participate in the reputation ecosystem at a lower trust tier. A legitimate agent that protects its key and builds reputation over time can achieve meaningful trust even without hardware backing.¶

4.4. Transient Key Model

For TPM-based attestation, this specification RECOMMENDS a transient key model in which the Attestation Key (AK) is created as a transient TPM object (via TPM2_CreatePrimary) and is NOT persisted in the TPM's non-volatile (NV) storage. This avoids consuming limited NV slots, which are a scarce resource on most TPMs (typically 3-7 loaded objects at once).¶

The transient key lifecycle is:¶

1. Read EK certificate from the TPM's NV storage (index 0x01C00002 for RSA EK). This is a read-only operation. The EK certificate MAY be cached indefinitely as it does not change.¶
2. Create transient AK via TPM2_CreatePrimary under the endorsement hierarchy with a fixed template. Because the template and the Endorsement Primary Seed (EPS) are constant, this deterministically produces the same key on every invocation.¶
3. Binding verification (one-time, during enrollment with an Issuer): The Issuer creates a credential challenge (TPM2_MakeCredential) encrypted to the EK; the agent decrypts it (TPM2_ActivateCredential), proving the AK resides in the same TPM as the EK. The resulting AK certificate is stored client-side (outside the TPM) and reused across signing operations.¶
4. Sign the attestation content with the transient AK (TPM2_Sign).¶
5. Flush the transient AK handle (TPM2_FlushContext) to free the object slot.¶

Implementations SHOULD flush transient objects immediately after use. If TPM2_CreatePrimary returns TPM_RC_OBJECT_MEMORY (0x0902), the implementation MUST flush existing transient handles and retry.¶

The EK certificate is the persistent hardware identifier. The AK is ephemeral infrastructure -- it exists only long enough to produce a signature, then is discarded. No data is written to the TPM's non-volatile memory at any point in this protocol.¶

The transient AK is deterministic within a given Endorsement Primary Seed (EPS) epoch. The EPS is re-randomised when the TPM is cleared (TPM2_Clear) or reset to factory defaults. After such an event, the AK public key changes and the agent MUST re-enroll with its Issuer to establish a new AK-to-EK binding. The EK certificate remains constant across TPM clears, so the hardware identity persists even though the AK changes.¶

Note: On some platform configurations (particularly Windows with default TPM Base Services policy), reading the EK certificate from NV storage may require a one-time operating system configuration change or elevated access during initial enrollment. Once the EK certificate has been read and cached client-side, subsequent attestation operations do not require elevation. Implementations that cannot read the EK certificate directly MAY derive the EK public key via TPM2_CreatePrimary with the TCG EK template and use the resulting public key hash as the hardware fingerprint; verifiers can then query manufacturer APIs (e.g., Intel Trusted Services) to obtain the full certificate if needed for chain validation. Alternatively, the Issuer can perform EK certificate extraction during enrollment and include it in the AK certificate it issues.¶

4.5. Issuer Discovery

When a verifier encounters an agent identity URN, it extracts the Issuer's domain from the issuer-namespace by reversing the dot-separated labels.¶

Example:
  URN: urn:aid:com.1id:1id-ty62muvf
  issuer-namespace: com.1id
  Issuer domain: 1id.com

The verifier discovers the Issuer's signing key and endpoints through the mechanisms described below. The DNS-based method is RECOMMENDED for email because it piggybacks on infrastructure that mail servers already query for DKIM, SPF, and DMARC, requires no outbound HTTPS connections during verification, and inherits the same domain-ownership guarantees that protect existing email authentication. Any organisation that owns a DNS domain can operate as an Issuer by implementing the enrollment protocol, publishing a signing key (via DNS and/or JWKS), and maintaining an anti-Sybil registry. No central registration or coordination is required beyond DNS ownership.¶

Example DNS TXT record:

  _hwattest.1id.com.  IN TXT (
    "v=hwattest1; alg=ES256; "
    "p=MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
  )

hwattest-record = hwattest-version ";" SP
                  hwattest-alg ";" SP
                  hwattest-key
                  [";" SP hwattest-kid]
                  [";" SP hwattest-status]

hwattest-version = "v" "=" "hwattest1"
hwattest-alg     = "alg" "=" jws-algorithm
hwattest-key     = "p" "=" base64
hwattest-kid     = "kid" "=" 1*VCHAR
hwattest-status  = "t" "=" ("active" / "revoked")

jws-algorithm    = "ES256" / "PS256" / "RS256"
                   ; other JWS algorithms may be added

5.1. Attestation Evidence Structure

The attestation evidence consists of the following certificates, ordered from leaf to root:¶

1. AK Certificate: Issued by an Issuer after successful completion of the binding verification protocol (e.g., TPM2_MakeCredential / TPM2_ActivateCredential for TPMs, or manufacturer attestation verification for PIV tokens). Binds the AK public key to the hardware device identified by the identity certificate. If no Issuer enrollment has been performed, the AK certificate MAY be self-signed; verifiers SHOULD treat self-signed AK certificates as lower trust than Issuer-certified ones.¶
2. Identity Certificate: Issued by the hardware manufacturer at fabrication time. For TPMs, this is the EK certificate. For PIV tokens, this is the device attestation certificate. Contains the hardware identity public key, manufacturer identity, and device information. Signed by the manufacturer's intermediate CA.¶
3. Manufacturer Intermediate CA Certificate(s): Zero or more intermediate CA certificates forming the chain between the identity certificate issuer and the manufacturer root.¶
4. Manufacturer Root CA Certificate: The trust anchor. This certificate SHOULD already be present in the verifier's trust store. Major manufacturer root CAs are published at well-known URLs (e.g., Intel's Trusted Services API, AMD's Key Distribution Server, Yubico's attestation CA).¶

5.2. Header Field Definition

This document defines the "Hardware-Attestation" header field for use in email messages.¶

Hardware-Attestation = "Hardware-Attestation" ":" SP hw-attest-value
                       CRLF

hw-attest-value = hw-version ";" SP
                  hw-type ";" SP
                  hw-algorithm ";" SP
                  hw-signed-hdrs ";" SP
                  hw-body-hash ";" SP
                  hw-timestamp ";" SP
                  hw-chain
                  [";" SP hw-aid]

hw-version     = "v" "=" "1"
hw-type        = "typ" "=" ("TPM" / "PIV" / "ENC" / "VRT" / "SFT")
hw-algorithm   = "alg" "=" ("RS256" / "ES256" / "PS256")
hw-signed-hdrs = "h" "=" hdr-name *(":" hdr-name)
hw-body-hash   = "bh" "=" base64url
hw-timestamp   = "ts" "=" 1*DIGIT
hw-chain       = "chain" "=" base64
hw-aid         = "aid" "=" aid-urn

hdr-name       = field-name  ; as defined in RFC 5322
base64url      = *( ALPHA / DIGIT / "-" / "_" )
                              ; URL-safe base64 per RFC 4648 Sec 5
base64         = *( ALPHA / DIGIT / "+" / "/" / "=" )
                              ; standard base64 per RFC 4648 Sec 4

The base64url and base64 encodings follow [RFC4648].¶

Where:¶

v

Protocol version. MUST be "1" for this specification.¶

typ

The hardware attestation mechanism type. "TPM" for Trusted Platform Module (discrete or firmware), "PIV" for Personal Identity Verification smart card, "ENC" for hardware enclave (e.g., Apple Secure Enclave), "VRT" for virtual TPM, "SFT" for software-managed key. Additional values MAY be registered with IANA.¶

alg

The signature algorithm used by the AK. MUST be one of RS256 (RSASSA-PKCS1-v1_5 with SHA-256), ES256 (ECDSA with P-256 and SHA-256), or PS256 (RSASSA-PSS with SHA-256). RS256 is included for compatibility with existing TPM 2.0 deployments where RSA keys are pre-provisioned; new deployments SHOULD prefer PS256 (for RSA) or ES256 (for ECC). ES256 is RECOMMENDED for PIV tokens. Additional algorithms MAY be registered with IANA (see Section 13); future versions of this specification MAY deprecate algorithms by updating the IANA registry. Verifiers MUST reject algorithms not listed in the registry. If SHA-256 is deprecated in the future, a new protocol version (v=2) would be required, as the hash algorithm is embedded in the attestation-digest construction.¶

h

A colon-separated list of header field names included in the h-hash computation, following the same conventions as the DKIM h= tag ([RFC6376] Section 3.5). The listed headers are canonicalised and concatenated (in the order listed) before hashing. Signers MUST include at minimum: From, To, Subject, Date, and Message-ID. Signers SHOULD also include any Hardware-Trust-Proof header present in the same message. The Hardware-Attestation header itself is always implicitly appended last (with the chain parameter value replaced by the empty string during computation, following the same self-inclusion technique as DKIM-Signature per [RFC6376] Section 3.7). The Hardware-Attestation header MUST NOT appear in the h= list. Because the header is included in h-hash, all of its parameters (including aid, typ, alg, bh, ts) are cryptographically bound to the signature.¶

bh

The base64url-encoded SHA-256 hash of the canonicalised email body, computed using DKIM simple body canonicalisation exclusively (Section 3.4.3 of [RFC6376]). DKIM relaxed body canonicalisation is NOT used for body hashing in this specification; only simple canonicalisation is supported, to ensure deterministic verification without requiring a canonicalisation algorithm negotiation parameter.¶

ts

Unix timestamp (seconds since 1970-01-01T00:00:00Z) at which the attestation signature was created. Unlike DKIM-Signature, this specification does not define a sender-declared expiry tag (analogous to DKIM's x= parameter). Verifiers SHOULD apply their own freshness policy based on ts (e.g., rejecting attestations older than a configured threshold). A future version of this specification MAY introduce an optional expiry parameter if operational experience demonstrates the need for sender-declared attestation lifetimes.¶

chain

A base64-encoded CMS SignedData structure ([RFC5652]), using the SignedData content type (OID 1.2.840.113549.1.7.2). The encapContentInfo MUST be absent (detached signature). The chain parameter MUST be present; the full CMS structure is always inline in the header, ensuring that verifiers can perform cryptographic validation without any external fetches. The CMS structure contains: (a) the AK signature over the attestation digest (see below); (b) the AK certificate (Issuer-certified or self-signed); (c) the identity certificate (EK certificate for TPM, device attestation certificate for PIV); and (d) any intermediate CA certificates.¶

The signed content is the SHA-256 hash of the concatenation of three fixed-length fields:¶

  attestation-input = h-hash || bh-raw || ts-bytes
  attestation-digest = SHA-256(attestation-input)
  signature = Sign(AK, attestation-digest)

  h-hash   = SHA-256(canonicalised-headers)  ; 32 bytes
  bh-raw   = SHA-256(canonicalised body)     ; 32 bytes
  ts-bytes = big-endian uint64(ts)           ; 8 bytes

¶

The attestation-input is exactly 72 bytes (32 + 32 + 8). The canonicalised-headers input to h-hash is computed as follows: take the headers named in the h= parameter, in the order listed, each canonicalised per DKIM relaxed header canonicalisation ([RFC6376] Section 3.4.2) and terminated with CRLF. Then append the Hardware-Attestation header itself, canonicalised the same way, with the chain parameter value replaced by the empty string, and without a trailing CRLF (matching the DKIM-Signature self-inclusion convention in [RFC6376] Section 3.7). Because the Hardware-Attestation header contains the aid, typ, alg, bh, and ts parameters in their wire format, all of these values are cryptographically bound by h-hash. In particular, the aid parameter cannot be modified after signing without changing h-hash and therefore invalidating the signature.¶

aid

OPTIONAL. The sender's agent identity URN as defined in Section 4.1. Because the Hardware-Attestation header is implicitly included in the canonicalised-headers input to h-hash (see the h and chain parameters above), the aid value is cryptographically bound to the signature. Substitution or modification of the aid after signing invalidates the attestation. The agent identity URN is the RECOMMENDED primary key for reputation tracking; verifiers SHOULD prefer aid over the hardware fingerprint when both are available, as the agent identity persists across hardware migrations (see Section 4.2). When aid is absent, the verifier can still validate the hardware certificate chain but has only the hardware fingerprint for reputation tracking.¶

5.3. Verification Algorithm

A receiving mail server that supports this specification MUST perform the following steps when a Hardware-Attestation header is present:¶

1. Parse the Hardware-Attestation header field and extract v, typ, alg, h, bh, ts, chain, and (if present) aid. If parsing fails, the result is "none" (header malformed).¶
2. Verify that v equals "1". If not, the result is "none" (unsupported version).¶
3. Verify that h lists at minimum From, To, Subject, Date, and Message-ID. Compute h-hash as defined in Section 5.2: canonicalise the listed headers using DKIM relaxed header canonicalisation ([RFC6376] Section 3.4.2), each terminated with CRLF, then append the Hardware-Attestation header itself (canonicalised the same way, with the chain value replaced by the empty string, without a trailing CRLF), and compute SHA-256 over the result.¶
4. Compute the SHA-256 hash of the canonicalised email body using DKIM simple body canonicalisation ([RFC6376] Section 3.4.3). Base64url-decode the bh parameter value and compare the resulting octets with the computed hash (exact byte-for-byte comparison). If they differ, the result is "fail" (body modified).¶
5. Verify that ts is within an acceptable window of the current time. A window of 300 seconds (5 minutes) is RECOMMENDED for direct SMTP delivery. Verifiers SHOULD allow a wider window (up to 3600 seconds / 1 hour) for messages that have passed through intermediate MTAs, as indicated by Received headers or queue delays. Messages delayed by greylisting (typically 15-30 minutes) or by temporary MTA failures (potentially hours) may exceed even this wider window. Verifiers evaluating messages where the cryptographic signature is valid but the timestamp has expired SHOULD record the result as "pass" with an informational note about the timestamp age, rather than a hard "fail", because the signature's integrity is unaffected by delivery delays. Once the first inbound MTA (the MX record host) has verified the attestation and recorded the result in an Authentication-Results header, downstream systems SHOULD rely on that recorded result (potentially protected by ARC [RFC8617]) rather than re-evaluating timestamps.¶
6. Decode the base64 chain parameter to obtain the CMS SignedData structure. Parse the CMS SignedData structure and extract the signer certificate (AK certificate) and the certificate chain.¶

7. Validate the certificate chain:¶

   1. The AK certificate MUST contain evidence binding the AK public key to the identity certificate's device. For TPM-based attestation, this is a TPM2_Certify structure (either in an X.509 extension or as the certificate's subject public key attestation). For PIV-based attestation, this is the manufacturer's attestation certificate chain (e.g., Yubico's attestation certificate that certifies the key was generated on the device). For Issuer-certified AK certificates, the Issuer verified this binding during enrollment and the AK certificate is signed by the Issuer's CA. For self-signed AK certificates, the verifier SHOULD treat the binding as unverified and reduce trust accordingly.¶
   2. The identity certificate MUST chain to a manufacturer intermediate CA certificate.¶
   3. The manufacturer intermediate CA MUST chain to a manufacturer root CA present in the verifier's hardware manufacturer CA trust store.¶

   If chain validation fails, the result is "fail" (chain invalid).¶

8. Reconstruct the attestation-digest as defined in Section 5.2: concatenate h-hash (32 bytes), bh-raw (32 bytes, the raw SHA-256 digest of the canonicalised body), and ts-bytes (8 bytes, big-endian uint64 of ts), then compute SHA-256 over the 72-byte result. Verify the CMS signature over this digest using the AK public key and the algorithm specified by alg. If signature verification fails, the result is "fail" (bad signature). Because the Hardware-Attestation header (including the aid parameter) is included in the canonicalised-headers input to h-hash, any modification to any header parameter after signing causes verification to fail.¶

9. If all checks pass, the result is "pass". The verifier MAY extract the following information from the certificate chain and header:¶

   • Hardware type (from typ parameter)¶
   • Hardware manufacturer (from identity certificate issuer)¶
   • Device model or family (from identity certificate extensions)¶
   • Hardware fingerprint: SHA-256 hash of the identity certificate's public key¶
   • Agent identity URN (from aid parameter, if present)¶

10. If aid is present, the verifier MAY additionally:¶

    1. Discover the Issuer's endpoints per Section 4.5.¶
    2. Query reputation services using the aid URN as a lookup key.¶
    3. Apply differentiated policy based on the agent's trust tier and reputation history.¶

5.4. Authentication-Results Integration

When recording the result of Hardware-Attestation verification in an Authentication-Results header field [RFC8601], the following method identifier and property types are used:¶

Authentication-Results: mx.example.com;
  hw-attest=pass
    header.typ=TPM
    header.alg=RS256
    header.mfr=INTC
    header.tier=sovereign
    header.fp=sha256:a1b2c3d4...
    header.aid=urn:aid:com.1id:1id-ty62muvf

Where:¶

hw-attest

The method identifier. Result is one of: "pass", "fail", "none" (header absent or unparseable), "temperror" (transient verification error), or "permerror" (permanent verification error).¶

header.typ

The hardware type from the Hardware-Attestation header.¶

header.alg

The signature algorithm.¶

header.mfr

The manufacturer code extracted from the identity certificate. Common values: "INTC" (Intel), "AMD" (AMD), "IFX" (Infineon), "STM" (STMicroelectronics), "NTC" (Nuvoton), "YBK" (Yubico), "VMW" (VMware, virtual TPM).¶

header.tier

The inferred trust tier based on the hardware type and manufacturer. Values: "sovereign", "portable", "enclave", "virtual", "declared".¶

header.fp

The SHA-256 hash of the identity certificate's public key, truncated to the first 16 hex characters. Serves as a compact hardware fingerprint for reputation tracking. Full fingerprint SHOULD be available via an extended property.¶

header.aid

The agent identity URN from the aid parameter, if present. Omitted if no aid was provided.¶

5.5. Privacy Considerations for Direct Attestation

Direct Hardware Attestation reveals the sender's persistent hardware fingerprint to every recipient. This linkability is a deliberate design choice for reputation systems; see Section 15.2 for the full privacy analysis and Section 15.3 for the privacy-preserving alternative.¶

6.1. Overview

SD-JWT Trust Proof provides a privacy-preserving attestation mechanism where an Issuer (an entity that has previously verified the sender's hardware attestation) issues a per-message Selective Disclosure JWT [RFC9901] containing claims about the sender's trust classification and a cryptographic binding to the specific email being sent. The claim structure is informed by the Entity Attestation Token (EAT) model [RFC9711].¶

For each outgoing email, the sending agent computes a message-binding hash (covering the email headers and body) and submits it to the Issuer over an authenticated channel. The Issuer verifies that the requesting agent is currently enrolled with valid hardware, creates an SD-JWT containing the message-binding hash as a nonce claim, and returns the signed token with disclosure values for all selectively disclosable claims. The agent then selects which claims to reveal and includes the SD-JWT presentation in the email header.¶

Because the Issuer signs the SD-JWT (not the agent), no agent-specific key appears in the token. A recipient learns only what the sender chose to disclose -- for example, "my hardware trust tier is sovereign" -- without learning the sender's identity, hardware fingerprint, or any other persistent identifier. The Issuer identifier (iss) and the message-binding nonce are always visible; all other claims are selectively disclosable.¶

This mode requires the recipient to trust the Issuer's signing key (obtainable via DNS or the Issuer's JWKS endpoint per Section 4.5). It does NOT require trust in any hardware manufacturer CA, as the Issuer has already performed that verification during enrollment.¶

The per-message Issuer interaction is the cost of full unlinkability: the agent must contact the Issuer for each email, and the Issuer becomes an availability dependency for Mode 2 senders. If the Issuer is unreachable, the agent MAY fall back to Mode 1 (Direct Hardware Attestation) if its policy permits hardware fingerprint disclosure, or MAY defer sending until the Issuer recovers. The Issuer learns that the agent is sending a message (and the timing thereof) but does not learn the message content -- only the message-binding hash, which is a SHA-256 digest from which content cannot be recovered. Issuers MUST NOT log message-binding hashes or correlate them with message metadata beyond what is necessary for rate limiting and abuse prevention.¶

6.2. Header Field Definition

Hardware-Trust-Proof = "Hardware-Trust-Proof" ":" SP
                       sd-jwt-presentation CRLF

sd-jwt-presentation = sd-jwt "~" *( disclosure "~" )

; sd-jwt and disclosure are defined in RFC 9901

The header value is an SD-JWT presentation as defined in [RFC9901], consisting of the Issuer-signed JWT followed by zero or more disclosures. No Key Binding JWT (KB-JWT) is included; message binding is provided by the nonce claim in the Issuer-signed payload (see Section 6.3).¶

The SD-JWT payload MUST include the following claims:¶

iss

The Issuer's identifier (a URI matching the Issuer domain derived from the agent's URN namespace). Used to locate the Issuer's signing key for signature verification.¶

iat

Issuance time as a NumericDate. Because the SD-JWT is per-message, iat reflects the time the Issuer signed this specific token.¶

exp

Expiration time as a NumericDate. MUST NOT exceed 600 seconds (10 minutes) after iat. This short validity window is appropriate because the SD-JWT is per-message: the agent requests a fresh token for each email, and the token need only remain valid long enough for the message to traverse the sending mail infrastructure. Issuers SHOULD set exp to 300 seconds (5 minutes) after iat for typical deployments.¶

nonce

A base64url-encoded message-binding digest that cryptographically ties this SD-JWT to a specific email. Computed as defined in Section 6.3. This claim MUST be present and MUST NOT be selectively disclosable.¶

_sd

Array of digests for selectively disclosable claims, as defined in [RFC9901].¶

The following claims SHOULD be available for selective disclosure (present as hashed entries in _sd):¶

trust_tier

The sender's hardware trust classification. Values include "sovereign" (genuine non-virtual hardware TPM), "portable" (smart card / USB token), "enclave" (hardware enclave such as Apple Secure Enclave), "virtual" (hypervisor-provided), and "declared" (software-only).¶

sub

The sender's agent identity URN as defined in Section 4.1.¶

handle

A human-readable name for the sender, if assigned.¶

hw_manufacturer

The hardware manufacturer code (e.g., "INTC", "AMD", "YBK").¶

enrolled_at

The timestamp at which the sender enrolled with the Issuer.¶

operator_email

A contact address for the human operator responsible for this agent. Allows relying parties to reach the accountable person without requiring the agent identity itself to be disclosed.¶

hardware_locked

Boolean indicating whether the identity is permanently bound to a single hardware device. Once locked, the agent can no longer add or migrate to new devices. This is an irreversible operation.¶

locked_at

Timestamp (ISO 8601) at which the hardware lock was applied. Present only when hardware_locked is true.¶

credential_pointer_count

Integer count of registered credential pointers for this identity. Allows a verifier to confirm that an agent has external credentials on file without revealing the credentials themselves.¶

6.3. Message Binding via Issuer-Signed Nonce

Each Mode 2 SD-JWT is per-message: the Issuer signs a fresh token for each email, incorporating a nonce claim that cryptographically binds the token to the specific message being sent. Because the Issuer signs the token directly (rather than the agent signing a Key Binding JWT with a key embedded in the token), no agent-specific cryptographic material appears in the presentation.¶

The message-binding nonce is computed by the sending agent before requesting the SD-JWT from the Issuer:¶

  message-binding = h-hash || bh-raw || ts-bytes
  nonce = base64url(SHA-256(message-binding))

  h-hash   = SHA-256(canonicalised-headers)  ; 32 bytes
  bh-raw   = SHA-256(canonicalised body)     ; 32 bytes
  ts-bytes = big-endian uint64(iat)          ; 8 bytes

The agent proposes an iat value (its current time) when requesting the token; the Issuer MUST reject proposed timestamps that differ from the Issuer's clock by more than 60 seconds. The accepted iat becomes both the SD-JWT's iat claim and the timestamp used in ts-bytes, ensuring sender and verifier agree on the value.¶

The canonicalised-headers are computed using the same rules as Mode 1 (see Section 5.2): the headers From, To, Subject, Date, and Message-ID (at minimum) are canonicalised per DKIM relaxed header canonicalisation ([RFC6376] Section 3.4.2), each terminated with CRLF, then the Hardware-Trust-Proof header itself is appended last (canonicalised the same way, with its value replaced by the empty string, without a trailing CRLF). The value is blanked because the SD-JWT token has not yet been obtained at the time the nonce is computed (the nonce is an input to the Issuer, which returns the SD-JWT that will become the header value); the header name and field separator are retained so that the choice of header is bound to the nonce. This is the same self-inclusion technique used by DKIM-Signature ([RFC6376] Section 3.7) and by Mode 1 (see Section 5.2).¶

The agent submits the computed nonce and proposed iat to the Issuer over an authenticated channel (e.g., TLS client certificate authentication using the agent's hardware-resident key, or an OAuth2 token obtained during enrollment). The Issuer verifies that the requesting agent is currently enrolled with valid hardware and has not been revoked, then creates and signs an SD-JWT containing the nonce along with selectively disclosable claims about the agent. The Issuer returns the signed SD-JWT and the disclosure values for all selectively disclosable claims. The agent selects which disclosures to include in the presentation.¶

Because the nonce is embedded in the Issuer-signed payload, any modification to the email headers or body after the token is issued causes the nonce to mismatch during verification. Because the Hardware-Trust-Proof header is included in the canonicalised-headers (with its value blanked during nonce computation), the choice of disclosed claims is also bound to the message.¶

The Issuer's signature on the nonce serves a dual purpose: it proves that a currently enrolled agent with verified hardware requested this specific message binding, and it asserts the Issuer's claims about the agent's trust classification. No agent-specific key appears in the token, so recipients cannot link multiple emails to the same sender based on the Mode 2 header alone.¶

6.4. Verification Algorithm

1. Parse the Hardware-Trust-Proof header as an SD-JWT presentation per [RFC9901]. The presentation consists of the Issuer-signed JWT and zero or more disclosures; no Key Binding JWT is expected.¶
2. Extract the issuer (iss) claim from the SD-JWT payload.¶
3. Obtain the Issuer's public key. The verifier MUST first check for a DNS-published key (see Section 4.5.1). If no DNS record is found, the verifier MAY fall back to the Issuer's HTTPS JWKS endpoint (e.g., {iss}/.well-known/jwks.json). Cached keys SHOULD have a TTL of at least 1 hour and at most 24 hours.¶
4. Verify the SD-JWT signature against the Issuer's public key per [RFC9901].¶
5. Verify that exp has not passed and iat is within an acceptable window. Because Mode 2 SD-JWTs are per-message, the RECOMMENDED exp is 300 seconds after iat; verifiers SHOULD reject tokens where the Issuer-set exp exceeds iat by more than 600 seconds (indicating a misconfigured Issuer). However, the verifier's freshness check against real-world clock time should accommodate delivery delays: if the SD-JWT signature is valid and the iat-to-exp span is reasonable but the current time exceeds exp due to greylisting or queue delays, the verifier SHOULD treat the result as "pass" with an informational timestamp-age note rather than a hard "fail" (see the corresponding guidance for Mode 1 timestamp validation in Section 5.3).¶
6. For each disclosure present, verify that its hash matches an entry in the _sd array.¶

7. Verify the message binding. Extract the nonce claim from the SD-JWT payload. If absent, the result is "fail" (missing message binding). Recompute the expected message-binding digest as defined in Section 6.3: canonicalise the email headers (From, To, Subject, Date, Message-ID at minimum) and body, compute message-binding = h-hash || bh-raw || ts-bytes (using the SD-JWT's iat for ts-bytes), then base64url(SHA-256(message-binding)). Compare the result with the nonce claim value. If they differ, the result is "fail" (message binding mismatch).¶

8. Extract the disclosed claims. The result is "pass" with the set of verified claims.¶

6.5. Authentication-Results Integration

Authentication-Results: mx.example.com;
  hw-trust=pass
    header.trust_tier=sovereign
    header.registry=1id.com

hw-trust

The method identifier. Result values are the same as for hw-attest.¶

header.trust_tier

The disclosed trust tier value, if the sender chose to reveal it.¶

header.registry

The Issuer domain (derived from the iss claim).¶

8.1. Direct Hardware Attestation (Mode 1)

Each hardware security component contains exactly one identity key, which produces exactly one identity certificate. The hardware fingerprint (identity certificate public key hash) provides the underlying Sybil resistance: creating N identities requires N physical devices.¶

The agent identity URN (aid) is the RECOMMENDED primary key for reputation tracking. When aid is present, verifiers SHOULD build reputation against the aid rather than the hardware fingerprint, because the aid persists across hardware migrations (see Section 4.2). The hardware fingerprint serves as a secondary signal that anchors the identity to physical hardware and enables reputation tracking for agents that do not present an aid.¶

A receiving mail server that tracks agent identities (or, when aid is absent, hardware fingerprints) can enforce policies such as:¶

• Rate limiting per agent identity¶
• Reputation scoring per agent identity¶
• Blocking agent identities associated with abuse¶

An attacker attempting to evade these policies requires a new physical hardware security component (minimum cost: the device itself at ~$20 plus potentially a host machine at ~$200-2000), compared to zero cost for creating a new software identity.¶

Multiple agents sharing the same hardware (e.g., multiple VMs on a server with a single TPM) share the same hardware fingerprint and therefore linked reputations. This shared fate model creates economic incentive for infrastructure operators to police their tenants: if one agent on a machine misbehaves, all agents on that machine inherit the reputational consequences.¶

8.2. SD-JWT Trust Proof (Mode 2)

Sybil resistance in Mode 2 depends on the Issuer's enrollment policy. An Issuer that assigns trust_tier values indicating hardware verification (e.g., "sovereign") MUST verify hardware attestation at enrollment time and MUST enforce the cardinality constraints defined in Section 4.2: at most one agent identity per hardware device within that Issuer's namespace, while permitting hardware migration (multiple devices backing the same identity over time). Such an Issuer provides equivalent Sybil resistance to Mode 1, with the additional benefit that the hardware fingerprint is not revealed to email recipients.¶

Issuers SHOULD monitor for anomalous enrollment patterns (e.g., many enrollments from a single IP range or a sudden spike in enrollments from a specific manufacturer CA) and SHOULD be capable of suspending enrollments pending investigation.¶

An Issuer that enrolls software-only agents (trust_tier "declared") provides no hardware-based Sybil resistance and MUST NOT assign trust_tier values that imply hardware verification. The trust_tier claim distinguishes these cases, enabling recipients to weight trust appropriately.¶

8.3. Virtual Hardware

Virtual TPMs (vTPMs) provided by hypervisors (VMware, Hyper-V, QEMU) have valid identity certificates signed by the hypervisor vendor's CA, but the hypervisor operator can instantiate arbitrary numbers of vTPMs. Virtual TPMs therefore provide no hardware-based Sybil resistance against the hypervisor operator. They do, however, provide benefits over software-only keys (typ=SFT):¶

• Key persistence managed by the hypervisor (the agent does not need to store key material).¶
• Modest cost barriers (provisioning a vTPM is slower and more resource-intensive than generating a software key pair).¶
• Reputation accumulation incentive (discarding a vTPM identity forfeits its accumulated reputation).¶

Receiving mail servers MUST distinguish between physical and virtual hardware. The identity certificate's issuer field identifies the manufacturer: VMware-issued or Microsoft Hyper-V-issued certificates indicate a virtual TPM. The header.tier property in Authentication-Results ("sovereign" vs "virtual") and the typ parameter ("TPM" vs "VRT") communicate this distinction.¶

Mail servers SHOULD apply significantly different reputation thresholds for virtual vs. physical hardware. For high-trust scenarios, verifiers MAY reject virtual TPM attestation entirely and require physical hardware (typ=TPM or typ=PIV).¶

9.1. Multiple Headers and Forwarding

If multiple Hardware-Attestation headers are present in a message (e.g., if a forwarding gateway adds its own attestation), the verifier SHOULD evaluate all of them independently and record each result separately in Authentication-Results, using the same precedence conventions as for multiple DKIM-Signature headers [RFC6376].¶

Mailing lists and content-modifying forwarders that alter the message body will invalidate the body hash (bh) in any existing Hardware-Attestation header. This is expected and analogous to DKIM signature breakage through body modification. Such intermediaries SHOULD preserve the original Hardware-Attestation header (the verifier will record "fail" due to body hash mismatch) and MAY add their own Hardware-Attestation header covering the modified body, if the intermediary itself has hardware attestation capability. ARC [RFC8617] SHOULD be used to preserve the original authentication results from before the modification.¶

10.1. Agent Identity Binding at Submission

When an MSA receives a message containing a Hardware-Attestation header with an aid (agent identity) parameter, the MSA MUST verify that the aid value corresponds to the authenticated account submitting the message. The binding between authenticated account and permitted agent identity URN(s) is established during account provisioning and is outside the scope of this specification, but the enforcement is normative:¶

• If the aid value does not match any agent identity URN authorised for the submitting account, the MSA MUST reject the message with an appropriate error (e.g., SMTP 550 "5.7.1 Agent identity not authorised for this account").¶
• If the Hardware-Attestation header is present but contains no aid parameter, the MSA SHOULD still verify that the hardware fingerprint (derived from the chain parameter) corresponds to hardware registered to the submitting account, if such a registry is available.¶
• If the MSA does not implement hardware attestation verification, it MUST NOT strip or modify the Hardware-Attestation header. The header will be evaluated by downstream verifiers.¶

This requirement parallels the existing SMTP AUTH obligation: just as an MSA enforces that the envelope sender (MAIL FROM) and header From address belong to the authenticated user, an attestation-aware MSA enforces that the agent identity belongs to the authenticated agent.¶

10.2. Hardware Fingerprint Binding at Submission

For Mode 1 (Direct Hardware Attestation), the MSA SHOULD extract the hardware fingerprint from the attestation chain and verify it against the fingerprint registered to the submitting account. This prevents an attacker who has obtained valid SMTP credentials from substituting a different device's attestation evidence.¶

For Mode 2 (SD-JWT Trust Proof), the MSA SHOULD verify that the Issuer (iss claim) and, if disclosed, the agent identity URN (sub claim) are consistent with the submitting account's registered identity.¶

10.3. Messages Without Attestation

An MSA that serves hardware-attested agents MAY also accept messages without Hardware-Attestation or Hardware-Trust-Proof headers, subject to its own policy. The absence of attestation headers from a known-attested account SHOULD be logged as anomalous but MUST NOT cause message rejection unless the account's policy explicitly requires attestation on every message.¶

10.4. Duplicate Header Rejection

An MSA MUST reject any submitted message that contains more than one Hardware-Attestation header field. A legitimate sender produces exactly one attestation per message. Multiple Hardware-Attestation headers in a submitted (non-forwarded) message indicate either a software defect or an injection attempt. This check MUST occur before DKIM signing, so that the MSA never signs a message containing duplicate attestation headers.¶

10.5. Timestamp Validation at Submission

The MSA SHOULD verify that the ts value in the Hardware-Attestation header is within a reasonable window of the current time (RECOMMENDED: 60 seconds). A timestamp significantly in the past may indicate a replayed header; a timestamp in the future may indicate clock manipulation intended to extend the attestation's apparent validity. If the timestamp is outside the acceptable window, the MSA SHOULD reject the message.¶

11.1. Backward Compatibility

This specification introduces new email headers that are ignored by mail servers that do not implement it. Messages carrying Hardware-Attestation or Hardware-Trust-Proof headers are fully compatible with legacy mail infrastructure: the headers are simply unrecognised and have no effect on delivery. This ensures that deployment can proceed incrementally without disrupting existing email flows.¶

11.2. DKIM Coverage of Attestation Headers

Because the sending agent adds the Hardware-Attestation and Hardware-Trust-Proof headers before submitting the message to the MSA, DKIM signing (which occurs at the MSA or a downstream MTA) naturally occurs after these headers are present. The DKIM signer SHOULD include Hardware-Attestation and Hardware-Trust-Proof in the DKIM-Signature h= tag so that the DKIM signature protects the attestation evidence against modification in transit. This allows a verifier to confirm that the domain owner's mail infrastructure accepted the attestation header as submitted by the agent.¶

11.3. Header Size Considerations

The base64-encoded CMS chain in Mode 1 can be several kilobytes, depending on the number of intermediate CA certificates. Implementations SHOULD use line folding per [RFC5322] to keep individual header lines within the 998-octet limit. Mail servers that impose maximum header size limits SHOULD allow at least 8192 octets for the Hardware-Attestation header value.¶

14.1. Manufacturer CA Compromise

If a hardware manufacturer's root CA private key is compromised, an attacker could forge identity certificates and create unlimited fake hardware identities. This risk is inherent to any PKI-based system and is mitigated by the same measures that protect manufacturer CAs today: hardware security modules, air-gapped signing ceremonies, and Certificate Transparency [RFC9162].¶

The SD-JWT Trust Proof (Mode 2) provides partial mitigation: if the Issuer detects anomalous enrollment patterns (e.g., thousands of enrollments from a single manufacturer CA in a short period), it can suspend enrollments while the compromise is investigated.¶

14.2. Revocation and Compromise Response

This specification does not define a real-time certificate revocation protocol. Compromise of individual hardware devices or keys is handled at multiple layers:¶

Compromised or stolen device (TPM, YubiKey)

The device owner notifies their Issuer, which revokes the agent identity. The Issuer publishes revocation status via its JWKS or a revocation endpoint; verifiers that cache Issuer metadata will detect the revocation at the next refresh. For Mode 1, the hardware fingerprint SHOULD be added to a local blocklist. The device's reputation history (which now includes the abuse) persists and follows the hardware fingerprint even if re-enrolled under a new identity.¶

Manufacturer CA breach

Verifiers MUST remove the compromised CA from their trust store. The IANA Hardware Attestation Type registry (see Section 13) and the community-maintained manufacturer CA trust store (see Appendix B) provide distribution channels for updated trust anchors.¶

Rogue Issuer

Verifiers remove the Issuer from their allowlist. Because Issuer trust is a local policy decision (see Section 14.12), no central revocation mechanism is required: each verifier independently decides which Issuers to trust, analogous to browser root store management for TLS CAs.¶

The absence of a real-time revocation check (such as OCSP) is a deliberate trade-off: adding a synchronous revocation check to the email delivery path would introduce latency and a new availability dependency. The short validity window for SD-JWT trust proofs (600 seconds) and the per-message timestamp in Mode 1 limit the exposure window for compromised credentials.¶

14.3. Replay Attacks

The timestamp (ts) in the Hardware-Attestation header limits the replay window. Receiving mail servers SHOULD reject attestations with timestamps more than 300 seconds from the current time for direct SMTP delivery, and up to 3600 seconds for messages with evidence of intermediate relay hops. Additionally, the body hash (bh) binds the attestation to a specific email body, preventing a valid attestation from being attached to a different message.¶

For SD-JWT Trust Proofs, each SD-JWT is per-message: the nonce claim in the Issuer-signed payload binds the token to the specific email's headers and body, and the short validity window (RECOMMENDED 300 seconds) limits the replay window. An attacker who intercepts a valid SD-JWT cannot reuse it for a different message because the nonce will not match.¶

14.4. Compromised Endpoints

This specification does not prevent a compromised device from sending attested email -- if an attacker has full control of a device with hardware security, they can use that hardware to attest. However, this is by design: each compromised device contributes exactly one hardware identity, and that identity accrues reputation (good or bad) permanently. A botnet of 10,000 compromised devices yields 10,000 attestable identities, not the millions possible with software-only identity systems.¶

The transient key model (Section 4.4) reduces the privilege requirements for per-message signing. Initial enrollment (the one-time MakeCredential / ActivateCredential exchange) typically requires elevated operating system privileges (administrator on Windows via the TPM Base Services API, or root on Linux via /dev/tpmrm0). Subsequent signing operations (TPM2_Sign with the transient AK) MAY be available to unprivileged processes depending on the operating system configuration. On Windows, a one-time registry configuration can grant non-administrator processes access to TPM signing operations.¶

The net effect is that hardware attestation raises the bar for email abuse from "any script" to "compromise of a specific physical device," which is a substantial improvement over the status quo even if it is not a complete solution.¶

14.5. Physical Attacks on Hardware Security Components

Extracting private keys from a TPM or PIV token requires physical attacks such as electron microscopy, laser fault injection, or side-channel analysis. Modern security components include countermeasures against these attacks. The cost and expertise required for successful key extraction is estimated at $50,000-$200,000 per chip, making it economically unviable for spam operations.¶

Even if key extraction were feasible, the extracted key could only impersonate one hardware identity. The attacker would still need to extract keys from additional devices to create additional identities.¶

14.6. Virtual Hardware Risk

Virtual TPMs do not provide the same Sybil resistance as physical hardware; see Section 8.3 for the detailed analysis and policy guidance.¶

14.7. Software-Only Attestation Risk

Software-managed keys (typ=SFT) provide no hardware-based Sybil resistance; an attacker can generate unlimited key pairs at zero cost. Verifiers MUST treat software-only attestation (trust_tier "declared") as fundamentally weaker than hardware-backed attestation. Software-only attestation exists to enable inclusive participation, not to provide Sybil resistance (see Section 1.1).¶

14.8. Transient Object Slot Limits

TPMs have a limited number of transient object slots (typically 3 to 7 simultaneously loaded objects). If all slots are occupied, TPM2_CreatePrimary returns TPM_RC_OBJECT_MEMORY (0x0902). Implementations MUST handle this error by flushing unused transient handles (TPM2_FlushContext) and retrying. Failure to flush transient objects can cause denial of service to other TPM-using applications on the same device.¶

14.9. Policy Abuse and Deanonymisation Risk

This specification targets AI agents, bots, and autonomous systems (see Section 3). It is not intended for individual human senders and is not expected to be incorporated into Mail User Agents (MUAs) designed for interactive human use. The privacy trade-offs inherent in hardware attestation -- particularly the persistent hardware fingerprint exposed by Mode 1 -- are acceptable for automated senders whose identity is operationally transparent, but disproportionate for human correspondence.¶

However, an AI agent may compose and send email on behalf of an individual (e.g., an executive assistant agent sending calendar invitations, or a customer service agent responding to support tickets). In such delegated-sending scenarios, the attestation identifies the agent and its hardware, not the human principal. Operators deploying agents that send on behalf of individuals SHOULD be aware that the persistent hardware fingerprint (Mode 1) or the Issuer identifier (Mode 2) may allow recipients to correlate messages across different human principals served by the same agent. Where this correlation is undesirable, operators SHOULD use Mode 2 without disclosing the agent identity URN, or SHOULD deploy separate agent identities per human principal.¶

The persistent hardware fingerprint exposed by Mode 1 (see Section 15.2 for linkability details) creates specific abuse scenarios even in automated contexts:¶

• Authoritarian regimes could correlate hardware fingerprints across messages to identify the organisations operating specific agents.¶
• Platforms could mandate Mode 1 attestation to deanonymise agents that have legitimate reasons for pseudonymity (e.g., whistleblower-support bots, journalist-source-protection agents).¶
• Receiving mail servers that log hardware fingerprints create long-lived tracking databases linking agent activity across recipients and time periods.¶

Mode 2 (SD-JWT Trust Proof) mitigates these risks by eliminating persistent agent-specific identifiers from the token; see Section 15.3. Receiving mail servers SHOULD NOT require Mode 1 attestation when Mode 2 provides sufficient trust signal for the receiver's policy needs.¶

14.10. Header Stripping and Modification

An intermediary mail server could strip or modify the Hardware-Attestation or Hardware-Trust-Proof headers. This risk is identical to the risk of DKIM signature stripping and is mitigated by the same mechanisms: ARC [RFC8617] preserves authentication results through forwarding chains.¶

Stripping these headers cannot cause a legitimate message to appear illegitimate (it simply loses the attestation). Adding forged headers is prevented by the cryptographic signatures.¶

14.11. Credential Theft and Identity Substitution

Because the attestation signature is produced by the sending agent rather than by the mail server, theft of SMTP credentials alone does not grant the attacker a valid attestation. The agent identity (aid), when present, is cryptographically bound to the signature: substituting a different aid value causes signature verification to fail at the receiving end.¶

An attacker who intercepts a legitimately signed attestation header could attempt to replay it on a different message. The body hash (bh), timestamp (ts), and signed header hashes (h-hash) prevent replay on altered content. The MSA identity binding requirements in Section 10 provide defence-in-depth: an attestation-aware MSA rejects messages where the agent identity does not match the submitting account, preventing misuse before the message enters the mail system.¶

Together, the cryptographic binding of aid in the signature and the MSA submission-time enforcement ensure that an agent cannot claim an identity other than its own.¶

14.12. Issuer Trust and Accountability

The federated issuance model (Section 4.5) means verifiers MUST make their own trust decisions about which Issuers to accept. A malicious Issuer could issue multiple identities for the same hardware, undermining Sybil resistance. However, this violation is detectable: verifiers that track hardware fingerprints will observe the same fingerprint appearing under multiple agent identities from the same Issuer, which constitutes direct evidence of Issuer misbehaviour.¶

Verifiers SHOULD maintain an allowlist of trusted Issuers, analogous to browser trust stores for TLS CAs. Reputation services MAY track Issuer quality metrics (enrollment anomaly rates, duplicate-fingerprint detections, abuse report correlations) to inform verifier trust decisions. Verifiers SHOULD remove Issuers from their allowlist when evidence of policy violations is detected.¶

15.1. Applicability to Human vs. Automated Senders

This specification targets authentication of automated senders -- AI agents, bots, and high-volume automated systems. It is NOT intended or recommended for individual human users sending personal or low-volume email. The persistent hardware fingerprint in Mode 1 uniquely identifies the sending device across all messages and contexts, creating linkability that exceeds current email privacy norms for human correspondence.¶

Operators of human-facing email services that offer hardware attestation as an opt-in feature MUST provide clear disclosure of the linkability implications before activation. Receivers SHOULD NOT penalise the absence of hardware attestation from senders exhibiting human-characteristic patterns.¶

15.2. Hardware Fingerprint Linkability

Mode 1 (Direct Hardware Attestation) exposes a persistent, globally unique hardware fingerprint -- the SHA-256 hash of the identity certificate's public key -- to every recipient. This fingerprint is stable for the lifetime of the hardware device and is identical across all protocols (email, HTTP, agent-to-agent) where the same device attests.¶

Any party that observes this fingerprint can correlate messages across recipients, time periods, and transport protocols. This cross-context linkability is the intended mechanism for reputation building in automated sender scenarios, but it also enables surveillance if misused.¶

The identity certificate additionally reveals the hardware manufacturer and device model family. In most automated deployments this information is not sensitive, but it does narrow the set of possible senders.¶

15.3. Privacy-Preserving Alternative (Mode 2)

Mode 2 (SD-JWT Trust Proof) provides Sybil resistance without revealing the hardware fingerprint or any persistent agent-specific identifier. Because the Issuer signs the per-message SD-JWT directly (rather than the agent signing with a key embedded in the token), no agent-controlled key appears in the presentation. Recipients cannot link multiple emails to the same sender based on Mode 2 headers alone.¶

The sender selects which claims to disclose; the hardware fingerprint, agent identity URN, and device details can all be withheld. Only the Issuer identifier (iss) and the message-binding nonce are always visible.¶

The privacy cost of full unlinkability is that the agent must contact the Issuer for each email, so the Issuer learns the agent's sending pattern (timing and frequency) though not the message content. Issuers MUST NOT log or correlate message-binding hashes beyond what is necessary for rate limiting and abuse prevention (see Section 15.4).¶

Senders operating in contexts where hardware fingerprint disclosure is unacceptable -- including agents that wish to avoid cross-context tracking -- SHOULD use Mode 2 exclusively. Receivers SHOULD NOT require Mode 1 when Mode 2 provides sufficient trust signal for their policy needs.¶

15.4. Issuer Knowledge

During enrollment, the Issuer learns the agent's hardware fingerprint (identity certificate public key hash) and associates it with the assigned agent identity URN. This is necessary for anti-Sybil enforcement.¶

In Mode 2, the Issuer additionally learns that the agent is sending a message each time the agent requests a per-message SD-JWT. The Issuer receives the message-binding hash (a SHA-256 digest from which message content cannot be recovered) but does not learn the message recipients, subject, or body. Issuers MUST NOT log message-binding hashes or correlate per-message signing requests with external data to infer message content or recipients. Issuers SHOULD implement rate limiting at the per-message signing endpoint to prevent abuse, but MUST delete signing request metadata (timestamps, source IPs, message-binding hashes) within 24 hours.¶

The specification deliberately separates enrollment (Issuer) from behaviour tracking (reputation services) to limit the Issuer's knowledge of agent activity.¶

15.5. Data Minimisation

Verifiers that record hardware fingerprints or agent identity URNs for reputation purposes SHOULD apply data minimisation principles: retain only the truncated fingerprint (as specified in Section 5.4) rather than the full identity certificate, and SHOULD define retention policies that limit how long fingerprint-to-message associations are stored.¶

15.6. Abuse-Resistant Contact Tokens

Automated agents typically send from generated addresses (e.g., aid-based mailbox names) that do not route to a human operator. When a recipient needs to report abuse or request removal, there is no obvious contact path. Conversely, exposing the operator's real email address in every outbound message creates a spam and social-engineering target.¶

Implementations MAY include a short-lived, opaque contact token in outbound messages to bridge this gap. A contact token is a value that the Issuer can resolve to the operator's real contact address without revealing that address to the message recipient. The token SHOULD be rotated periodically (e.g., monthly) so that tokens from old messages cannot be used to build a long-term contact profile of the operator.¶

One approach is to carry the token in a header field alongside the attestation headers. For example, the 1id.com implementation uses an "X-1ID-Contact-Token" header containing an 8-character HMAC-based token; a recipient can send mail to <token>@contact.<issuer-domain> and the Issuer forwards it to the registered operator. The token is derived from the agent identity and a time-based rotation key, so it is not linkable across rotation periods and cannot be forged without the Issuer's secret.¶

This specification does not mandate a particular contact token format or delivery mechanism. Issuers that provide contact tokens SHOULD document their token lifetime and resolution procedure. Recipients SHOULD treat contact tokens as opaque values and SHOULD NOT attempt to derive agent identity from them.¶

C.1. Example 1: Sovereign-Tier TPM (Combined Mode, Node.js SDK)

This message demonstrates Combined Mode (Mode 1 + Mode 2) from a sovereign-tier identity backed by an Intel firmware TPM. The Hardware-Attestation header contains a CMS SignedData bundle with an X.509 certificate chain rooted at a manufacturer CA. The Hardware-Trust-Proof header contains an SD-JWT with a selectively disclosed trust_tier claim. Both headers reference the same agent identity URN (urn:aid:com.1id:1id-tkoie2ve). Note that the From address (alice@example.un.ag) is independent of the agent identity URN, demonstrating the decoupling of email sender identity and hardware identity.¶

Compare with Example 2 (same identity, different device and trust tier) and Example 6 (same identity and device, Mode 1 only, Python SDK).¶

Received: from oneid-sdk (unknown [2001:8000:1bed:6d00:ecfa:f9e5:c8e3:ed
        4f] (AS1221 Telstra Limited, AU))(using TLSv1.3 with cipher
        TLS13_AES_256_GCM_SHA384) by mail.mailpal.com (Stalwart SMTP)
        with ESMTPSA id 423AB698D84E8D1; Thu, 26 Mar 2026 06:27:23 +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774506443; x=1775370443; bh=+GNsqybwllZv8Ax0BtgYSg73F/3TnNOd8
        lZ5Dlr7wJM=; b=bibpmNagEyVBbOaFHy6+roU+kMTxheiMcNrQfEhQq4EHMf1zE
        E0zt/EwIohwEkm55Ajra4k834hqnvbxmT0/fzD+f/Uq5SP6dUp2m1KBSMrkYHVTD
        LW0m7TqsCzKoFOJRQrP8HkXTGGlLZs8VOHwN+UFLBOrR0TebCSRZQldAMcUKfx3w
        +/uopSKYF6BKvq1U1NDXDxIyrIiYJ9ma64VjMz/GIu8Aqg9CKg3DtiEIhKa4B+9m
        Q4olARarM4B0n5HPKcib6UU/I8XXRnvynBFKIRc+MlVIXWsQYKbbQTBqMJRVy8fR
        sdXANCTDhzV3UoO+EXUE4yXeba7xCWfdk6SQQ==;
Authentication-Results: mailpal.com; hw-attest=pass header.typ=TPM
        header.alg=RS256 header.tier=sovereign
        header.aid=urn:aid:com.1id:1id-tkoie2ve
Authentication-Results: mailpal.com; hw-trust=pass
        header.trust_tier=sovereign header.registry=1id.com
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 1/6: Sovereign TPM (Node.js, Mode 1+2)
Date: Thu, 26 Mar 2026 16:27:16 +1000
Message-ID: <1774506436645.8ed455cf30df4796@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Attestation: v=1; typ=TPM; alg=RS256; h=from:to:subject:date:me
        ssage-id:content-transfer-encoding:content-type:mime-version:fro
        m:to:subject:date:message-id:content-transfer-encoding:content-t
        ype:mime-version; bh=D86x9X_Sdbjuiw4qHtNHgn_D9ddyl18jiIMSUqhmnDY
        ; ts=1774506440; chain=MIIMAQYJKoZIhvcNAQcCoIIL8jCCC+4CAQExDzANB
        glghkgBZQMEAgEFADALBgkqhkiG9w0BBwGgggpWMIID4TCCAsmgAwIBAgIUH01pf
        nWQCIfMiHfTNQb7v7r3CmMwDQYJKoZIhvcNAQELBQAwLjEMMAoGA1UECgwDMUlEM
        R4wHAYDVQQDDBUxSUQgSW50ZXJtZWRpYXRlIENBIEEwHhcNMjYwMzIwMTYzNjI2W
        hcNMjcwMzIwMTYzNjI2WjBMMQwwCgYDVQQKDAMxSUQxJTAjBgNVBAMMHHVybjpha
        WQ6Y29tLjFpZDoxaWQtdGtvaWUydmUxFTATBgNVBAUTDDFpZC10a29pZTJ2ZTCCA
        SIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvysXC8ILSnhGcqg66dWKWQL
        p9pOJZmj6yTbICDVLydBwc1LGEQAW3BCee6XU/Bs0n91uROJCQw3jgrCMiBUOvS6
        Mjox/8NT1gfZ9sDQGVXN5gQ0t9H+r9vEPJ7YL9jhYmlxWQp+fS6vhZNrmH7g4XwE
        K+EsbMsc8H0ZuxKAM1S7p9447G9IOZOkFMK33ZxCCY00DFmwzXu/dkGFfuOaSWM5
        cazWz/kxqOtcpT73ACmJxQ6LU3yzB6VwbfwCWm6klQNKsd1c7FT5hX5ZYtEqDXeI
        pIGWyQp9TQgNbUIPeJCWO2rDLmh0ZXwqXR4yBqKeNWhUjrcnfQgNfrjJ7zB0z8CA
        wEAAaOB2DCB1TAnBgNVHREEIDAehhx1cm46YWlkOmNvbS4xaWQ6MWlkLXRrb2llM
        nZlMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRroL9zk
        1MDMjMG4UyIvjZdzdX8QTAfBgNVHSMEGDAWgBRnIsB54FVyNiezRKLzTN+AXd+Wr
        jAXBgorBgEEAYPUXwEBBAlzb3ZlcmVpZ24wIgYKKwYBBAGD1F8BAgQUMjAyNi0wM
        y0wNFQwMDowMDowMFowDwYKKwYBBAGD1F8BAwQBADANBgkqhkiG9w0BAQsFAAOCA
        QEAiL2Fwbib2C2bzYzRpDsyFGSXmn2LcFO3snxAaoRJxwMqa5UcyNZNaPk9SHtr7
        mocHO8spAi5q+7Twa8+1djZ3HJha5iKW59E9o2/JFBBM8p1ehkHVmlTtF130RFja
        aW1BnPvdfjSMCdYHk9IIOw90+oAA7omUAlYTXclGLduE2fOfVcAaqIz+wFYS89iJ
        Otlbj+BH8wwa6Ee3P1pEe1p4LW4KGdaIrA1/yfarCaglkVlJxA4GsR2y1H43l7ZN
        ijh/lsS+iRJWXvBWGqecVx+GY/jPpvG4ahObRO4/MW5F1i3fKvkE0UX4juC5t0nP
        tCbRsQFRmbIcQv+OcLJV9MexzCCA0gwggIwoAMCAQICFEhBGCtvI+p+lYa/sOD7w
        5IrskGxMA0GCSqGSIb3DQEBCwUAMCYxDDAKBgNVBAoMAzFJRDEWMBQGA1UEAwwNM
        UlEIFJvb3QgQ0EgQTAeFw0yNjAzMTQxNDEzNDdaFw0zMTAzMTMxNDEzNDdaMC4xD
        DAKBgNVBAoMAzFJRDEeMBwGA1UEAwwVMUlEIEludGVybWVkaWF0ZSBDQSBBMIIBI
        jANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAueeMbFQ0VCd3zBECEit2soc9g
        0xaRwzL4QT+jB6k7f9dehwyTY/tqlyXQJlR/BnV8zMJv7bfZ6xq8eEnd73HaHcKV
        Jxdg4VQEmfHtk4mGAfWuAy7j3N5TsPpcFTqgkJlAwUp3kH3yDVPvO1qHzbVmUFdv
        DscthxQ3xYVP1pCPdWsoiP4oR0L0EyaaqmTwG2J/hIw/vAGqwWx4CrMsg8VvKDps
        LPNp2IZ/HkXc+ztw3tsPXKWaLiTMli8RvZ8FEjsQ933Nfr23DHqEZgS0QA8fUZoa
        xzogdhxVue/W7KnZM8ENdP0jOf0l5oUncGo8VP5p5BmQhP73J3bVMyeQf7cIwIDA
        QABo2YwZDASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVH
        Q4EFgQUZyLAeeBVcjYns0Si80zfgF3flq4wHwYDVR0jBBgwFoAUw7fpWXXFX/lGD
        y85m5SqTPkl8PAwDQYJKoZIhvcNAQELBQADggEBAIVAxZlTfr2eEitQkDzx/Vxs5
        CftPYgIVJAt5SzSvoVjKQWfkth7PClZeGjGmZg9vozqwuFo+Tnvq1bCe8loiZn0P
        XwsjEeNxgKAnAGcg7KvacsnyH120DuvnT1NE33y/vR4GNqpnvFzf77DqlmN4BL8Y
        oa1vYp1XNehHg79YkS3FlGXuaN7ku7WU3Uuv25Em9ZbvNbfZyvGGeto8TWNkgfWn
        F/asfTFjYwUrF+8k4xxAFZ/0OjjM3Y0v0mpdf0XAE8a846PG59tn3qnopCQmqKuJ
        Tiv5CgWX8/RdARjVR/eQIwoaduW5YhmEFzMz24kLlJ5us6jHSGCYPzbT84OpLowg
        gMhMIICCaADAgECAhRnIjFxQzVLiE7JnREz6PpYT9J0DzANBgkqhkiG9w0BAQsFA
        DAmMQwwCgYDVQQKDAMxSUQxFjAUBgNVBAMMDTFJRCBSb290IENBIEEwIBcNMjYwM
        zE0MTQxMzQ3WhgPMjA1NjAzMDYxNDEzNDdaMCYxDDAKBgNVBAoMAzFJRDEWMBQGA
        1UEAwwNMUlEIFJvb3QgQ0EgQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCg
        gEBAOAkpJayeSScKqR0JEmx+i6EGae5F6roRJsqGQRA/fwZMsw7JXeKNyMhXcb2n
        6w7uHuWA8xiMYx4Arwr8FIGxGben3pjqkjPdVTyjLgczBKtK7Rws+yf70v57H8N/
        zaoBTfo/qtR8hx1cfi91vMED1q1S6iNkVBT8lPaHmS+lymmi9DzSMC9jcQCjLnOb
        kPwVDzYw7IeyODOYA+l/Vkf+GRJ71HdLJYpfHyTy0Y8OqJtnqv5BZeaV1u5oqXX9
        rn4mBCHNZRAbX9+JKwljNzxL55dEbOHhIqw4q8cezxT9fBjoKDcmkPDTWWUjqgui
        zK1naFzur/DCkFXAnCJ0bE33T0CAwEAAaNFMEMwEgYDVR0TAQH/BAgwBgEB/wIBA
        TAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMO36Vl1xV/5Rg8vOZuUqkz5JfDwM
        A0GCSqGSIb3DQEBCwUAA4IBAQAIUV87JRvdpKGik3xkdij2bzj97MWbxwXpn8G+L
        SAsGnoGZTbR87aj+6nC6ln7BxtAmqG/Htq24zI6T2jGPNd9vJIJe4KFT0xLqtwH+
        Y6GTgKx34s4EJfa+UcE/Rt8vwIA052QxerlCreT9bvD1HfLenVADbyIzL6g+nlfB
        EYqDLvgS+xqWw78u7Jr5rAqctYrGNGkpYdddixm6Cbnhkm4jMd+cDCq+qH18tBBP
        iM9icT19fqz88WfWCOYmHFBFabQWVtCJPN7C1yXVRume+OWsJzgEJ5K4kcLdm9K/
        yUW5ru00K8wL/ytD0107mH9w2MagpdOMPHKYBGj3ea1huMmMYIBbzCCAWsCAQEwR
        jAuMQwwCgYDVQQKDAMxSUQxHjAcBgNVBAMMFTFJRCBJbnRlcm1lZGlhdGUgQ0EgQ
        QIUH01pfnWQCIfMiHfTNQb7v7r3CmMwDQYJYIZIAWUDBAIBBQAwCwYJKoZIhvcNA
        QELBIIBAJrTV5BnJJ916qGGE8nTmYGPub7Kwd3z4KwHNCtQVC8eWxQkmeJ6ffF2f
        5RWBRwN08t1WQ60DtN7NxiSRfJWT1NSK8JRe+8f6hcOIYKgUeBoIhM1oliwTJcGD
        unymYzohvsMUct1mi0qFQScxGoQUGjGy2nXeIXman13l47mQ/1aNqcxXbtsoLRDk
        sEOg6M0agiRGh7SW68nlyr91BfQKY55ulrbGHmFpEDma+wHn1IZ0kHh+oVGM5M2B
        xU+E8+mEuLKYAp75Jgxd9zEWBtx3F870Q4CF/BhKL/6rRa+SaZJIWa9nkk41mNL2
        33OqpMiDIFfeI0pgKVYzvoVmWi+Tyc=; aid=urn:aid:com.1id:1id-tkoie2v
        e
Hardware-Trust-Proof: eyJhbGciOiJFUzI1NiIsImtpZCI6IjFpZC1od2F0dGVzdC1lcz
        I1Ni0xIiwidHlwIjoic2Qrand0In0.eyJpc3MiOiJodHRwczovLzFpZC5jb20iLC
        JpYXQiOjE3NzQ1MDY0MzksImV4cCI6MTc3NDUwNjczOSwibm9uY2UiOiJVRnh4bF
        hwUTR6dGg3ejlZSlRkWFRONTlKbWw0RFVheXVockdiUFotWHhNIiwiX3NkX2FsZy
        I6InNoYS0yNTYiLCJfc2QiOlsidGdCX3B5RFpuLVQtRGFlQlpONXFyNk5PTldZZG
        00Y3hOWUx1ZDBPT0ZDUSJdfQ.1Ojz34CEn-8nzpGGQf0R321yM1OMsguAkvc3lyq
        GagSWltkPKC6xb_MfETNilB-WQeHGffZQknrhwy-9mamFAA~WyJqN1AtQUFvc0RY
        dHpld0hvOTlGcE9RIiwidHJ1c3RfdGllciIsInNvdmVyZWlnbiJd~
X-1ID-Contact-Token: 8d0f52ce

RFC example 1 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  sovereign (hardware TPM, typ=TPM)
  Identity:    urn:aid:com.1id:1id-tkoie2ve
  Device:      Intel firmware TPM (PTT)
  SDK:         Node.js (1id npm package) v1.3.1
  Mode:        Combined (Mode 1 + Mode 2)
  Headers:     Hardware-Attestation (Mode 1)
               Hardware-Trust-Proof (Mode 2)

What to look for:
  - Hardware-Attestation: CMS SignedData bundle
    with X.509 chain rooted at manufacturer CA.
  - Hardware-Trust-Proof: SD-JWT with selectively
    disclosed trust_tier claim.
  - Both headers share the same aid URN.
  - From (alice@example.un.ag) differs from the
    aid URN -- sender and hardware identity are
    decoupled by design.
  - Compare with example 6 (same identity/device,
    Mode 1 only, Python SDK).

C.2. Example 2: Portable-Tier PIV/YubiKey (Mode 2 Only, Python SDK)

This message uses the same agent identity as Example 1 (urn:aid:com.1id:1id-tkoie2ve) but was authenticated via a Yubico YubiKey 5 (PIV slot 9a) on a different physical machine. The trust_tier in the Authentication-Results is "portable" (not "sovereign"), demonstrating dynamic trust tiering: the tier reflects the device used for the current authentication, not the highest tier the identity is capable of. Only Mode 2 (Hardware-Trust-Proof) is present because PIV-based CMS signing is not yet implemented in the reference SDK.¶

Received: from moonmac.home (unknown [2001:8000:1bed:6d00:d1b:716c:55b1:
        1044] (AS1221 Telstra Limited, AU))(using TLSv1.2 with cipher
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) by mail.mailpal.com
        (Stalwart SMTP) with ESMTPSA id 423B3B18EE530D1; Thu, 26 Mar
        2026 07:39:45 +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774510785; x=1775374785; bh=JzFuOSIpa6v/f7VY5FQ2+pcMkBmkx7MBh
        bMjnGbhwmI=; b=zUgy4VRUk2VvQm2ZbXx+cgMJrjKQ8w8p0JfwrzFFrQZOzZviP
        kT3TTv2gVTYRedADt3Oz/3pBUhcU4/hm1SsNO1gEPeedp1zll8UFDkM4gmBfEyCd
        syvbv/TFVd4tp6aFcnsrY+/vR1yQ6Qnpbl96YLSiXqLtcR5BKf4egRmn+kjcMaiS
        YVhXAvfIgLqauecNPiuQVMNW+bTs/sYp5fVOP122gw4AdgBlsL335xnzU+WV7xkl
        ANTNPXYX7jbQ0Eb1g4ml/2cWzi7Hvp/AnuA1fzi7FCXlBHTnKuFBxCKfrvjUVkad
        4mK/+RPprb4/9LCO8UI4cFMdVi+bDQQCaZnyQ==;
Authentication-Results: mailpal.com; hw-trust=pass
        header.trust_tier=portable header.registry=1id.com
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 2/6: Portable PIV (Python, Mode 2)
Date: Thu, 26 Mar 2026 17:39:37 +1000
Message-ID: <177451077748.22538.12383034578129922803@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Trust-Proof: eyJhbGciOiJFUzI1NiIsImtpZCI6IjFpZC1od2F0dGVzdC1lcz
        I1Ni0xIiwidHlwIjoic2Qrand0In0.eyJpc3MiOiJodHRwczovLzFpZC5jb20iLC
        JpYXQiOjE3NzQ1MTA3ODAsImV4cCI6MTc3NDUxMTA4MCwibm9uY2UiOiJxTUlQQk
        FrOWFYU2ljTmZpTnRlVlpzcHVoRV9HX1U5a3FXRndPWDBnTFFJIiwiX3NkX2FsZy
        I6InNoYS0yNTYiLCJfc2QiOlsiang2ZnNmemtWTXYzVDZENmk1ZTYyd0xuN09xan
        M5NkF0V0IwR0tPcXlmRSJdfQ.F3s1ojJtpOeDNTWNLVriHdEOoUlb9HTl-hBCpp6
        pDms6GPRUjxcUXlibBXrjuSsfaEyEWA17d-rToZzz-ECcCg~WyJ2U2RVMzQ0SFNU
        R1AtT0Vwb0VpdE53IiwidHJ1c3RfdGllciIsInBvcnRhYmxlIl0~
X-1ID-Contact-Token: 8d0f52ce

RFC example 2 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  portable (PIV/YubiKey, typ=PIV)
  Identity:    urn:aid:com.1id:1id-tkoie2ve
  Device:      YubiKey 5 NFC (PIV slot 9a)
  SDK:         Python (oneid-sdk) v1.3.3
  Mode:        Mode 2 only (SD-JWT trust proof)
  Header:      Hardware-Trust-Proof only

What to look for:
  - Same identity (aid) as examples 1 and 6,
    but a different trust_tier (portable).
  - This identity is deliberately shared across
    two machines (RoG via TPM, moonmac via PIV).
    A multi-server bulk-mail operation may want
    a single identity across all its servers so
    that they accrue a common reputation.
  - Dynamic trust tiering: the tier reflects
    the device used now, not the highest tier
    the identity has ever used.
  - Only Hardware-Trust-Proof is present;
    Mode 1 direct attestation is not yet
    supported for PIV-based signing.
  - The From address (alice@example.un.ag)
    differs from the aid URN.

C.3. Example 3: Enclave-Tier Secure Enclave (Combined Mode, Python SDK)

This message demonstrates Combined Mode (Mode 1 + Mode 2) from an enclave-tier identity (urn:aid:com.1id:1id-xiz43mxz) backed by the Apple Secure Enclave on a Mac mini (M2). The Hardware-Attestation header contains a CMS SignedData bundle with an ECDSA P-256 key held in the Secure Enclave. Note that typ=ENC in the header signals to verifiers that the Secure Enclave performs internal hashing (ECDSA with SHA-256 over the raw input rather than a pre-hashed digest), which affects the verification algorithm for this tier. The Hardware-Trust-Proof SD-JWT discloses trust_tier="enclave". The enclave tier shares a compatibility group with virtual (vTPM), as neither provides anti-Sybil guarantees (both device types can be re-keyed at will by the device owner).¶

This is a different identity than Examples 1, 2, and 6, because this device has its own independent enrollment.¶

Received: from mac-mini.local (unknown [2001:8000:1bed:6d00:450f:3a6d:4e
        35:1278] (AS1221 Telstra Limited, AU)) (using TLSv1.3 with
        cipher TLS13_AES_256_GCM_SHA384) by mail.mailpal.com (Stalwart
        SMTP) with ESMTPSA id 423D31DF50596D1;Thu, 26 Mar 2026 12:14:20
        +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774527260; x=1775391260;
        bh=feAv3I/4jG+E7MfQ0QJxgCWsB9rHO4ir7LMH7xA1+2s=;
        b=H1h/DqUDa05dK7egaOvsnoxX5JQsjTL6hzhFSDBFe6SsouUWSOCSHclvNSOJCq
        SNrLh1yOnR/Cu7KfVatydr/wF3vRfAWPZok9ek3ZT0umuMD6C4taM5l57CHQAPlo
        7j6lJ47NAQb+LVCF+H+37Tl8WNWvUUlSOW2xc1ZHxT+6rFx+yWGgdj6oY3zNT6S5
        h1HmQL3Brn0sOCQdM2Scjm7KEZxz8OJr53a9mPj+/Yv/A4JP67qa13dq5JLHDz+d
        FGIQniUo77yAY5jpgg4CrBx1b16OhzT+0hahlPJtVOWovJYS/DL0DLHXRgbcCa6U
        5CTMnmxfp6+DzzJ2sMhzwKhg==;
Authentication-Results: mailpal.com; hw-attest=pass header.typ=ENC
        header.alg=ES256 header.tier=enclave
        header.aid=urn:aid:com.1id:1id-xiz43mxz
Authentication-Results: mailpal.com; hw-trust=pass
        header.trust_tier=enclave header.registry=1id.com
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 3/6: Enclave (Python, Mode 1+2)
Date: Thu, 26 Mar 2026 22:14:10 +1000
Message-ID: <177452725007.16358.11744115580712301841@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Trust-Proof: eyJhbGciOiJFUzI1NiIsImtpZCI6IjFpZC1od2F0dGVzdC1lcz
        I1Ni0xIiwidHlwIjoic2Qrand0In0.eyJpc3MiOiJodHRwczovLzFpZC5jb20iLC
        JpYXQiOjE3NzQ1MjcyNTUsImV4cCI6MTc3NDUyNzU1NSwibm9uY2UiOiIxRFA3TV
        czYVN0WTdzRzltbDdlUVJJXzh4WU9xNVplWDJZOUw1dWxLQ3BrIiwiX3NkX2FsZy
        I6InNoYS0yNTYiLCJfc2QiOlsiM1J6WWl4bmVjNHFPdGdYSjU1ZTRTS2FtVWtWSG
        RGUGZYUkNLMEx0U2dxdyJdfQ.svOUXSI3K4qpFhkIshqqcJ-EJ3erFZWO4S_jhuX
        GFtrmiNmkx_F9czvoNYIeTPDi7mbXcMDjyOg3niHabToNEg~WyJ3eTRuZ1Yxb1A5
        bWhpQmlZTUdEYUlBIiwidHJ1c3RfdGllciIsImVuY2xhdmUiXQ~
X-1ID-Contact-Token: 69aea95a
Hardware-Attestation: v=1; typ=ENC; alg=ES256;
        h=from:to:subject:date:message-id:content-transfer-encoding:cont
        ent-type:mime-version:from:to:subject:date:message-id:content-tr
        ansfer-encoding:content-type:mime-version;
        bh=NoBLb0ghkIoYnL6DZMKhTd4PGygEyah4fcuBEbXYnrw; ts=1774527256;
        chain=MIIKdQYJKoZIhvcNAQcCoIIKZjCCCmICAQExDzANBglghkgBZQMEAgEFAD
        ALBgkqhkiG9w0BBwGgggmJMIIDFDCCAfygAwIBAgIUYIji1mIf1yIg8m/k5lEK2i
        MpM3cwDQYJKoZIhvcNAQELBQAwLjEMMAoGA1UECgwDMUlEMR4wHAYDVQQDDBUxSU
        QgSW50ZXJtZWRpYXRlIENBIEEwHhcNMjYwMzI2MDUzNDU5WhcNMjcwMzI2MDUzND
        U5WjBMMQwwCgYDVQQKDAMxSUQxJTAjBgNVBAMMHHVybjphaWQ6Y29tLjFpZDoxaW
        QteGl6NDNteHoxFTATBgNVBAUTDDFpZC14aXo0M214ejBZMBMGByqGSM49AgEGCC
        qGSM49AwEHA0IABHwvUSQJfLIavGu2Smbr5KsygOlMZP0I5aR5fAPjyTzrEuDKxs
        QY547Ma1bD0fkBWrnVFCCSZlGE0JYUIQGp0fOjgdYwgdMwJwYDVR0RBCAwHoYcdX
        JuOmFpZDpjb20uMWlkOjFpZC14aXo0M214ejAMBgNVHRMBAf8EAjAAMA4GA1UdDw
        EB/wQEAwIHgDAdBgNVHQ4EFgQUwKjPuDH2bUWHa3MOaJHQUM+p+NMwHwYDVR0jBB
        gwFoAUZyLAeeBVcjYns0Si80zfgF3flq4wFQYKKwYBBAGD1F8BAQQHZW5jbGF2ZT
        AiBgorBgEEAYPUXwECBBQyMDI2LTAzLTI2VDA1OjM0OjU5WjAPBgorBgEEAYPUXw
        EDBAEAMA0GCSqGSIb3DQEBCwUAA4IBAQCui/V804Jj9ZE3IJy7a5i7niFncCdMzQ
        98dMM2nnYTZiq4nW14avCb1liuAGIlvxflodvv4V9h0kHq8C1YC/IIUigtpX5NWb
        KfHOvDyCavQTZNm/YtEgyHH9fy22SOm+bCRjN4yy0xlTpzgT8ct97/qZBiTMB1fD
        LKz5MZAR/LC/bAEFUT+RGipaQKyk+ImZyeq5yCzGGl+KiRbsY0nBn+vNezhmckin
        iB1lx06W+R/WgwMsIX3k6BiJJsMhqelsI2Mx7WTfdRyA7BLxkUlAd8P0CAN4+xyM
        a2BaCJLLgN41BSJ40GdZ3I6aUo6qBNtditaTco8RjJm6Dm9JPl7lj4MIIDSDCCAj
        CgAwIBAgIUSEEYK28j6n6Vhr+w4PvDkiuyQbEwDQYJKoZIhvcNAQELBQAwJjEMMA
        oGA1UECgwDMUlEMRYwFAYDVQQDDA0xSUQgUm9vdCBDQSBBMB4XDTI2MDMxNDE0MT
        M0N1oXDTMxMDMxMzE0MTM0N1owLjEMMAoGA1UECgwDMUlEMR4wHAYDVQQDDBUxSU
        QgSW50ZXJtZWRpYXRlIENBIEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAo
        IBAQC554xsVDRUJ3fMEQISK3ayhz2DTFpHDMvhBP6MHqTt/116HDJNj+2qXJdAmV
        H8GdXzMwm/tt9nrGrx4Sd3vcdodwpUnF2DhVASZ8e2TiYYB9a4DLuPc3lOw+lwVO
        qCQmUDBSneQffINU+87WofNtWZQV28Oxy2HFDfFhU/WkI91ayiI/ihHQvQTJpqqZ
        PAbYn+EjD+8AarBbHgKsyyDxW8oOmws82nYhn8eRdz7O3De2w9cpZouJMyWLxG9n
        wUSOxD3fc1+vbcMeoRmBLRADx9RmhrHOiB2HFW579bsqdkzwQ10/SM5/SXmhSdwa
        jxU/mnkGZCE/vcndtUzJ5B/twjAgMBAAGjZjBkMBIGA1UdEwEB/wQIMAYBAf8CAQ
        AwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRnIsB54FVyNiezRKLzTN+AXd+Wrj
        AfBgNVHSMEGDAWgBTDt+lZdcVf+UYPLzmblKpM+SXw8DANBgkqhkiG9w0BAQsFAA
        OCAQEAhUDFmVN+vZ4SK1CQPPH9XGzkJ+09iAhUkC3lLNK+hWMpBZ+S2Hs8KVl4aM
        aZmD2+jOrC4Wj5Oe+rVsJ7yWiJmfQ9fCyMR43GAoCcAZyDsq9pyyfIfXbQO6+dPU
        0TffL+9HgY2qme8XN/vsOqWY3gEvxihrW9inVc16EeDv1iRLcWUZe5o3uS7tZTdS
        6/bkSb1lu81t9nK8YZ62jxNY2SB9acX9qx9MWNjBSsX7yTjHEAVn/Q6OMzdjS/Sa
        l1/RcATxrzjo8bn22feqeikJCaoq4lOK/kKBZfz9F0BGNVH95AjChp25bliGYQXM
        zPbiQuUnm6zqMdIYJg/NtPzg6kujCCAyEwggIJoAMCAQICFGciMXFDNUuITsmdET
        Po+lhP0nQPMA0GCSqGSIb3DQEBCwUAMCYxDDAKBgNVBAoMAzFJRDEWMBQGA1UEAw
        wNMUlEIFJvb3QgQ0EgQTAgFw0yNjAzMTQxNDEzNDdaGA8yMDU2MDMwNjE0MTM0N1
        owJjEMMAoGA1UECgwDMUlEMRYwFAYDVQQDDA0xSUQgUm9vdCBDQSBBMIIBIjANBg
        kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4CSklrJ5JJwqpHQkSbH6LoQZp7kXqu
        hEmyoZBED9/BkyzDsld4o3IyFdxvafrDu4e5YDzGIxjHgCvCvwUgbEZt6femOqSM
        91VPKMuBzMEq0rtHCz7J/vS/nsfw3/NqgFN+j+q1HyHHVx+L3W8wQPWrVLqI2RUF
        PyU9oeZL6XKaaL0PNIwL2NxAKMuc5uQ/BUPNjDsh7I4M5gD6X9WR/4ZEnvUd0sli
        l8fJPLRjw6om2eq/kFl5pXW7mipdf2ufiYEIc1lEBtf34krCWM3PEvnl0Rs4eEir
        Dirxx7PFP18GOgoNyaQ8NNZZSOqC6LMrWdoXO6v8MKQVcCcInRsTfdPQIDAQABo0
        UwQzASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFg
        QUw7fpWXXFX/lGDy85m5SqTPkl8PAwDQYJKoZIhvcNAQELBQADggEBAAhRXzslG9
        2koaKTfGR2KPZvOP3sxZvHBemfwb4tICwaegZlNtHztqP7qcLqWfsHG0Caob8e2r
        bjMjpPaMY81328kgl7goVPTEuq3Af5joZOArHfizgQl9r5RwT9G3y/AgDTnZDF6u
        UKt5P1u8PUd8t6dUANvIjMvqD6eV8ERioMu+BL7GpbDvy7smvmsCpy1isY0aSlh1
        12LGboJueGSbiMx35wMKr6ofXy0EE+Iz2JxPX1+rPzxZ9YI5iYcUEVptBZW0Ik83
        sLXJdVG6Z745awnOAQnkriRwt2b0r/JRbmu7TQrzAv/K0PTXTuYf3DYxqCl04w8c
        pgEaPd5rWG4yYxgbEwga4CAQEwRjAuMQwwCgYDVQQKDAMxSUQxHjAcBgNVBAMMFT
        FJRCBJbnRlcm1lZGlhdGUgQ0EgQQIUYIji1mIf1yIg8m/k5lEK2iMpM3cwDQYJYI
        ZIAWUDBAIBBQAwCgYIKoZIzj0EAwIERjBEAiAZJKFrLr5sP2x4MFEegb/ER4Hk+u
        BbCUUQvYsCzIvbhgIgDHJ40PwTkZ4aVPvg2gBxnh/F5j62qlcvA6OgA1H67MU=;
        aid=urn:aid:com.1id:1id-xiz43mxz

RFC example 3 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  enclave (Apple Secure Enclave)
  Identity:    urn:aid:com.1id:1id-xiz43mxz
  Device:      Apple Mac mini (M2, SE P256)
  SDK:         Python (oneid-sdk) v1.3.4
  Mode:        Combined (Mode 1 + Mode 2)
  Headers:     Hardware-Attestation (Mode 1)
               Hardware-Trust-Proof (Mode 2)

What to look for:
  - trust_tier=enclave in the SD-JWT.
  - The enclave tier shares a compatibility
    group with virtual (vTPM): both provide
    key isolation but lack anti-Sybil
    guarantees (re-keyable at will).
  - Hardware-Attestation carries a CMS
    SignedData bundle with the SE-backed
    ECDSA P-256 key and certificate chain.
  - A different identity than examples 1/6
    (this device has its own enrollment).

C.4. Example 4: Virtual-Tier vTPM (Combined Mode, Python SDK)

This message demonstrates Combined Mode from a virtual-tier identity backed by a VMware virtual TPM (vTPM). The Hardware-Attestation header uses typ=VRT (not typ=TPM), allowing verifiers to distinguish virtual from physical TPMs. The certificate chain is issuer-signed rather than rooted at a hardware manufacturer CA, since no physical manufacturer is involved. Receiving servers MAY apply different policy to virtual-tier attestations compared to sovereign or portable tiers.¶

Received: from w11vtpm.home (unknown [2001:8000:1bed:6d00:381f:a328:fe9d
        :860e] (AS1221 Telstra Limited, AU))(using TLSv1.3 with cipher
        TLS13_AES_256_GCM_SHA384) by mail.mailpal.com (Stalwart SMTP)
        with ESMTPSA id 423AB909844F0D1; Thu, 26 Mar 2026 06:28:43 +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774506523; x=1775370523;
        bh=t6uFMzcZhV+3fr99tSKnV1CYWnH47FK64RF9EcFXYnQ=; b=sSECW3y5QM+9R
        etAUX4BiZfCHAD7Vg0YjQvnGQym35d0GwpO9UpvH3kUI0s8ckck0Gfx/GDMnBqye
        cF22Ho/TmRtxYhjNXs1Hdspd97Gj9R89T4vbRTP4Se6AoeTCGY5sxEYkO/feYxau
        rVTEvSlyBQTOyPteCQBIvu+LTOnfseQBWaXmQEmgRF0hLhSnPpestgFtxbPvq7W7
        gpxet7GjEIs6nIrdjbeYDbY9izBkLFj6TcUuZbwMiH3KH01wm/qyx0KOoUP7g+5G
        6zsaGuvrmuEgfcX1DMVxAIlHhTJB1nAnHtUStvm4j8t1F9YEUJKD1YCSgLJQ8WvQ
        AJTTs/A0A==;
Authentication-Results: mailpal.com; hw-attest=pass header.typ=VRT
        header.alg=RS256 header.tier=virtual
        header.aid=urn:aid:com.1id:1id-jq8c84k4
Authentication-Results: mailpal.com; hw-trust=pass
        header.trust_tier=virtual header.registry=1id.com
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 4/6: Virtual vTPM (Python, Mode 1+2)
Date: Thu, 26 Mar 2026 17:28:00 +1100
Message-ID: <177450648054.26936.15036271949777087817@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Trust-Proof: eyJhbGciOiJFUzI1NiIsImtpZCI6IjFpZC1od2F0dGVzdC1lcz
        I1Ni0xIiwidHlwIjoic2Qrand0In0.eyJpc3MiOiJodHRwczovLzFpZC5jb20iLC
        JpYXQiOjE3NzQ1MDY0OTUsImV4cCI6MTc3NDUwNjc5NSwibm9uY2UiOiJxTjVwLT
        VkcEd4ZUtxc3hqcEY3WTMxb2ZIeEN3VU1vaU9YYWV3S09OdjlnIiwiX3NkX2FsZy
        I6InNoYS0yNTYiLCJfc2QiOlsiQ3VPNVBZb0lWMVVrS0RIWmlXOVpNSFJ4Q3hFRG
        Y3UEYtZEU5WXJpVTlKbyJdfQ.rjfzv36TBpjz7fAazYElH06l2n_PpX1gGRUltXO
        NzP-GX5leTEFvUALdxaEHQwq8GmLHM7gpavPS_C_QEF3m2w~WyJmMW1CeWY2LXdI
        NWFkVDFoWmpDRDRBIiwidHJ1c3RfdGllciIsInZpcnR1YWwiXQ~
X-1ID-Contact-Token: 4e2c70c6
Hardware-Attestation: v=1; typ=VRT; alg=RS256; h=from:to:subject:date:me
        ssage-id:content-transfer-encoding:content-type:mime-version:fro
        m:to:subject:date:message-id:content-transfer-encoding:content-t
        ype:mime-version; bh=FB8IXgMtG8UBjtblS5jLcFilBP9NoufFQV8ba9fsRLs
        ; ts=1774506497; chain=MIIL/wYJKoZIhvcNAQcCoIIL8DCCC+wCAQExDzANB
        glghkgBZQMEAgEFADALBgkqhkiG9w0BBwGgggpUMIID3zCCAsegAwIBAgIUCwbxp
        fLn+aYaUdcXrA+ytHDfwU8wDQYJKoZIhvcNAQELBQAwLjEMMAoGA1UECgwDMUlEM
        R4wHAYDVQQDDBUxSUQgSW50ZXJtZWRpYXRlIENBIEEwHhcNMjYwMzI1MTYxOTEyW
        hcNMjcwMzI1MTYxOTEyWjBMMQwwCgYDVQQKDAMxSUQxJTAjBgNVBAMMHHVybjpha
        WQ6Y29tLjFpZDoxaWQtanE4Yzg0azQxFTATBgNVBAUTDDFpZC1qcThjODRrNDCCA
        SIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOa84tc3dh9fVDBWTUA4I+MLo
        IoWxncnfqfRZo25ODrQi8ndZTqTZXrj9mt2kVLgFtUNT7b5XjGHRPz/zHpBm8dNx
        i/jISGOQ6diWM7xPikXvid/1hzCBmIOkrTSAajVkrz3UJb6U43CdVARX9NQh48Gd
        jrc5dtk3zyvtmvaxfIagCenQArwS4Iv6N+8U+5OvURc713L2P2pd81u4u6lZgEep
        bK0dUdLoYxq8fEAT/Ru4sHZtJFymQTMNVCcWRqVpZPRpezNktM6FfS2tcNzgGEhB
        388Os7EIntDlesDePdv4EVzXDOoL43Xz2TSFA8MCWqhIsu1Kpxbmed7KBbJcC0CA
        wEAAaOB1jCB0zAnBgNVHREEIDAehhx1cm46YWlkOmNvbS4xaWQ6MWlkLWpxOGM4N
        Gs0MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBSdMIQyG
        s98xq+qCV9L05jyTS6hWjAfBgNVHSMEGDAWgBRnIsB54FVyNiezRKLzTN+AXd+Wr
        jAVBgorBgEEAYPUXwEBBAd2aXJ0dWFsMCIGCisGAQQBg9RfAQIEFDIwMjYtMDMtM
        jBUMTQ6NDk6MTVaMA8GCisGAQQBg9RfAQMEAQAwDQYJKoZIhvcNAQELBQADggEBA
        BfRe2qtKDxp4O+mlH+sgot0MX+UxDIVJCTQyB9i/Ew9lTYERt9ZDDpxG5ZJAvuf7
        6FOoOtjQ69/BdSu9f3JEsbILzpLX8MHITT+rREAoUelnUMsLJz7OFieXhk6jMelW
        YdbPpyrArufEr3/yLZa+f50AYM+5e6JUBO0KYWlL0zEP9WMGFtxhO+ZtxBD8NUat
        NbAOL3gRAi3nz8OVnySzBNhunZPa89NRSHvHshF/63hroRVGnHvq/x1ANJFU9L0V
        pj+URuWetRYd4k8c79KicDCGnH4m6Q4i1coumbeaT9fYLMpEjczAgtejCnPjuQoB
        91rgREUxD+4O4OhvYpJ79YwggNIMIICMKADAgECAhRIQRgrbyPqfpWGv7Dg+8OSK
        7JBsTANBgkqhkiG9w0BAQsFADAmMQwwCgYDVQQKDAMxSUQxFjAUBgNVBAMMDTFJR
        CBSb290IENBIEEwHhcNMjYwMzE0MTQxMzQ3WhcNMzEwMzEzMTQxMzQ3WjAuMQwwC
        gYDVQQKDAMxSUQxHjAcBgNVBAMMFTFJRCBJbnRlcm1lZGlhdGUgQ0EgQTCCASIwD
        QYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALnnjGxUNFQnd8wRAhIrdrKHPYNMW
        kcMy+EE/owepO3/XXocMk2P7apcl0CZUfwZ1fMzCb+232esavHhJ3e9x2h3ClScX
        YOFUBJnx7ZOJhgH1rgMu49zeU7D6XBU6oJCZQMFKd5B98g1T7ztah821ZlBXbw7H
        LYcUN8WFT9aQj3VrKIj+KEdC9BMmmqpk8Btif4SMP7wBqsFseAqzLIPFbyg6bCzz
        adiGfx5F3Ps7cN7bD1ylmi4kzJYvEb2fBRI7EPd9zX69twx6hGYEtEAPH1GaGsc6
        IHYcVbnv1uyp2TPBDXT9Izn9JeaFJ3BqPFT+aeQZkIT+9yd21TMnkH+3CMCAwEAA
        aNmMGQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OB
        BYEFGciwHngVXI2J7NEovNM34Bd35auMB8GA1UdIwQYMBaAFMO36Vl1xV/5Rg8vO
        ZuUqkz5JfDwMA0GCSqGSIb3DQEBCwUAA4IBAQCFQMWZU369nhIrUJA88f1cbOQn7
        T2ICFSQLeUs0r6FYykFn5LYezwpWXhoxpmYPb6M6sLhaPk576tWwnvJaImZ9D18L
        IxHjcYCgJwBnIOyr2nLJ8h9dtA7r509TRN98v70eBjaqZ7xc3++w6pZjeAS/GKGt
        b2KdVzXoR4O/WJEtxZRl7mje5Lu1lN1Lr9uRJvWW7zW32crxhnraPE1jZIH1pxf2
        rH0xY2MFKxfvJOMcQBWf9Do4zN2NL9JqXX9FwBPGvOOjxufbZ96p6KQkJqiriU4r
        +QoFl/P0XQEY1Uf3kCMKGnbluWIZhBczM9uJC5SebrOox0hgmD820/ODqS6MIIDI
        TCCAgmgAwIBAgIUZyIxcUM1S4hOyZ0RM+j6WE/SdA8wDQYJKoZIhvcNAQELBQAwJ
        jEMMAoGA1UECgwDMUlEMRYwFAYDVQQDDA0xSUQgUm9vdCBDQSBBMCAXDTI2MDMxN
        DE0MTM0N1oYDzIwNTYwMzA2MTQxMzQ3WjAmMQwwCgYDVQQKDAMxSUQxFjAUBgNVB
        AMMDTFJRCBSb290IENBIEEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBA
        QDgJKSWsnkknCqkdCRJsfouhBmnuReq6ESbKhkEQP38GTLMOyV3ijcjIV3G9p+sO
        7h7lgPMYjGMeAK8K/BSBsRm3p96Y6pIz3VU8oy4HMwSrSu0cLPsn+9L+ex/Df82q
        AU36P6rUfIcdXH4vdbzBA9atUuojZFQU/JT2h5kvpcppovQ80jAvY3EAoy5zm5D8
        FQ82MOyHsjgzmAPpf1ZH/hkSe9R3SyWKXx8k8tGPDqibZ6r+QWXmldbuaKl1/a5+
        JgQhzWUQG1/fiSsJYzc8S+eXRGzh4SKsOKvHHs8U/XwY6Cg3JpDw01llI6oLosyt
        Z2hc7q/wwpBVwJwidGxN909AgMBAAGjRTBDMBIGA1UdEwEB/wQIMAYBAf8CAQEwD
        gYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBTDt+lZdcVf+UYPLzmblKpM+SXw8DANB
        gkqhkiG9w0BAQsFAAOCAQEACFFfOyUb3aShopN8ZHYo9m84/ezFm8cF6Z/Bvi0gL
        Bp6BmU20fO2o/upwupZ+wcbQJqhvx7atuMyOk9oxjzXfbySCXuChU9MS6rcB/mOh
        k4Csd+LOBCX2vlHBP0bfL8CANOdkMXq5Qq3k/W7w9R3y3p1QA28iMy+oPp5XwRGK
        gy74EvsalsO/Luya+awKnLWKxjRpKWHXXYsZugm54ZJuIzHfnAwqvqh9fLQQT4jP
        YnE9fX6s/PFn1gjmJhxQRWm0FlbQiTzewtcl1UbpnvjlrCc4BCeSuJHC3ZvSv8lF
        ua7tNCvMC/8rQ9NdO5h/cNjGoKXTjDxymARo93mtYbjJjGCAW8wggFrAgEBMEYwL
        jEMMAoGA1UECgwDMUlEMR4wHAYDVQQDDBUxSUQgSW50ZXJtZWRpYXRlIENBIEECF
        AsG8aXy5/mmGlHXF6wPsrRw38FPMA0GCWCGSAFlAwQCAQUAMAsGCSqGSIb3DQEBC
        wSCAQDG3jQoFX3z+sqGckMG62REgN0joeg3g660ySov4asnz2x/Hj1XU9CpmUNw3
        DI4GiiEFn3ZmATbSnSYlV1NDVPJ2Q91No4rIQxVJMYfeF0EIrQ2+Ur0ycEuTyZdh
        yGtDq8M2NbHVo2oeSRD4XLK/p//KOURU9tdDleNmL93N1Eo6GZpzoIX+unGH9SR6
        Kt294TE+WRzw8WFLKPTxcaiicMAv+1G37IwC+VzUxjqYBGMLESZCx9xnB0xeG/Y7
        NwIqqf7X5JWm6QZ2PGDCyjZWgEe0cUnGEEyj+YZS2LW/XqQghsC1LVFzIrTejhlZ
        363fAWD8wMLeAa5cJnYWjAL2ijM; aid=urn:aid:com.1id:1id-jq8c84k4

RFC example 4 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  virtual (vTPM, typ=VRT)
  Identity:    urn:aid:com.1id:1id-jq8c84k4
  Device:      VMware virtual TPM (vTPM)
  SDK:         Python (oneid-sdk) v1.3.2
  Mode:        Combined (Mode 1 + Mode 2)
  Headers:     Hardware-Attestation (Mode 1)
               Hardware-Trust-Proof (Mode 2)

What to look for:
  - trust_tier=virtual in the SD-JWT.
  - The virtual tier sits between sovereign
    and declared: the TPM exists but is not
    physically tamper-resistant.
  - Hardware-Attestation is present because
    the vTPM can still produce a valid AK
    certificate chain.
  - A verifier can distinguish virtual from
    sovereign by inspecting the trust_tier
    claim in the SD-JWT.

C.5. Example 5: Declared-Tier Software-Only (Mode 2 Only, Python SDK)

This message demonstrates a declared-tier identity where the signing key is stored in software with no hardware protection. Only Mode 2 (Hardware-Trust-Proof) succeeded; Mode 1 failed because the EdDSA algorithm used by this identity's software key is not yet supported in the reference SDK's CMS implementation. The SD-JWT discloses trust_tier="declared", allowing receiving servers to apply differentiated policy (e.g., lower reputation weight). Declared-tier identities still participate in reputation tracking, but without hardware-backed Sybil resistance.¶

Received: from RoG.localdomain (unknown [2001:8000:1bed:6d00:ecfa:f9e5:c
        8e3:ed4f] (AS1221 Telstra Limited, AU))(using TLSv1.3 with
        cipher TLS13_AES_256_GCM_SHA384) by mail.mailpal.com (Stalwart
        SMTP) with ESMTPSA id 423ADB058650CD1; Thu, 26 Mar 2026 06:47:16
        +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774507636; x=1775371636;
        bh=tQbweOdhmIKnVJeZ2WfV+dXtsk7S4L1RTzicUBPYEuk=; b=6yNSGTOK1IodR
        J59Jbhd9F/mFwrvJeGPv1C3sKb4eZKbPmYBQtdDjWuo4VknvsiZOE3uowJV6HitJ
        xCwd3ORAby9tMH4CX+U8aaPrcu24pGxRGP3qHKuJcj3LtnktSj3/RBwipjX7roqu
        gwZwEwJMBN8I6ilXN7GiC9F03AOfuraBSAUw+4CMk6oHl6tK2jeEXKu0VAHg0tOT
        qX05HOl4VTEy6meCKlXDRvJJO+iakUBa0udVtHMthHQYkBsGnNoBllUgXSpgXdxg
        nuAx1oVMpuZUdjBJZdtC5xpeZsupW4myKjfEP4lUuh00o5j4MbCZqUWAr0xriMpz
        2rD7EWaAw==;
Authentication-Results: mailpal.com; hw-trust=pass
        header.trust_tier=declared header.registry=1id.com
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 5/6: Declared tier (Python, Mode 2)
Date: Thu, 26 Mar 2026 16:47:11 +1000
Message-ID: <177450763154.21623.9499316015451560959@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Trust-Proof: eyJhbGciOiJFUzI1NiIsImtpZCI6IjFpZC1od2F0dGVzdC1lcz
        I1Ni0xIiwidHlwIjoic2Qrand0In0.eyJpc3MiOiJodHRwczovLzFpZC5jb20iLC
        JpYXQiOjE3NzQ1MDc2MzIsImV4cCI6MTc3NDUwNzkzMiwibm9uY2UiOiIxV040Q1
        RsRERubUVkdDM2NXFSZXl6dk1mX21VMVFjak82Y1dGMVRfNDg4IiwiX3NkX2FsZy
        I6InNoYS0yNTYiLCJfc2QiOlsieGt6MXhiTnhJbmZMWXdObzZ6dWNtTjVhbVB0VH
        FCaDFWOE4xYVQ4cy1BOCJdfQ.DxUzkzn3Bh33Nt-Tpq7YLkKYkYutLJyNgj3jJYG
        KuKNv-MoMuFXpnhlpVnG5qasrIb_TRJDmAGifvnOBzV5ubA~WyI4VGUwNHd4cHpL
        YU9POURQaVhfZXBnIiwidHJ1c3RfdGllciIsImRlY2xhcmVkIl0~
X-1ID-Contact-Token: c9f0a68c

RFC example 5 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  declared (software key, typ=SFT)
  Identity:    urn:aid:com.1id:1id-zrw4psyg
  Device:      Software-only (Ed25519 key)
  SDK:         Python (oneid-sdk) v1.3.2
  Mode:        Mode 2 only (SD-JWT trust proof)
  Header:      Hardware-Trust-Proof only

What to look for:
  - trust_tier=declared in the SD-JWT.
  - No Hardware-Attestation header (Mode 1
    requires a certificate chain, which
    declared-tier identities lack).
  - The declared tier is the lowest trust
    level: the identity has no hardware
    binding. It is equivalent to a standard
    software signing key.
  - This tier exists so that agents without
    hardware can still participate in the
    attestation ecosystem (e.g. to begin
    accruing reputation), with recipients
    aware of the reduced assurance.

C.6. Example 6: Sovereign-Tier TPM (Mode 1 Only, Python SDK)

This message demonstrates Mode 1 only (Direct Hardware Attestation) from the same physical TPM and agent identity as Example 1, but using the Python SDK instead of Node.js. There is no Hardware-Trust-Proof header; only the Hardware-Attestation header is present. This is the simpler deployment model where no SD-JWT issuer/registry interaction is needed -- the CMS signature is independently verifiable against the TPM manufacturer's root CA with no trust in any identity service required. The Authentication-Results header shows only hw-attest (no hw-trust result).¶

Received: from [172.22.1.89] (unknown [2001:8000:1bed:6d00:ecfa:f9e5:c8e
        3:ed4f] (AS1221 Telstra Limited, AU))(using TLSv1.3 with cipher
        TLS13_AES_256_GCM_SHA384) by mail.mailpal.com (Stalwart SMTP)
        with ESMTPSA id 423ADE6B40516D1; Thu, 26 Mar 2026 06:49:08 +0000
Return-Path: <alice@example.un.ag>
DKIM-Signature: v=1; a=rsa-sha256; s=rsa; d=example.un.ag;
        c=relaxed/relaxed; r=y; h=Message-ID:Date:Subject:To:From;
        t=1774507748; x=1775371748; bh=629O0DX4KvelluIXRhMhqaQlrmx71QOQV
        Vfnw8aAYjc=; b=UYsTBy57SwrnwyQ++nVr0toCnbv3kdk8/1o6XDPY47otdI4Ix
        xupx4VaATFeIv+h+CorYOGAwB2WnDDZzUYYupCidt0aoJHfz238KhoEWs1L+fXhr
        tDZYrk3e4MyQAWLNlAAS11u9ViVeCgaSLro80DQUQ49yaixGwj68Hc5HkXpuHS/r
        uC1pGWa7Cjeu54s+sQklUHqPIwymhuRIdfKAcZJoMEx0GSRHb3QWLO0hISvHnUk0
        tnveNw3HN/riJ8PEC35itJiJTbSDLzRL4rOdaXOkjsnStwoNQE0gJ+cLawJtmn8Q
        a7LNz9gHaIKfSoPuTe/9vqClr6KXHRB8XRBjA==;
Authentication-Results: mailpal.com; hw-attest=pass header.typ=TPM
        header.alg=RS256 header.tier=sovereign
        header.aid=urn:aid:com.1id:1id-tkoie2ve
From: Alice <alice@example.un.ag>
To: bob@example.un.ag
Subject: RFC Example 6/6: Sovereign TPM (Python, Mode 1)
Date: Thu, 26 Mar 2026 16:49:05 +1000
Message-ID: <177450774520.30168.11382866965426144830@mailpal.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
Hardware-Attestation: v=1; typ=TPM; alg=RS256; h=from:to:subject:date:me
        ssage-id:content-transfer-encoding:content-type:mime-version;
        bh=uQAodZKMniNXQzM-9eg-efen0Sg2a7iaZwO10AhYOEM; ts=1774507745;
        chain=MIIMAQYJKoZIhvcNAQcCoIIL8jCCC+4CAQExDzANBglghkgBZQMEAgEFAD
        ALBgkqhkiG9w0BBwGgggpWMIID4TCCAsmgAwIBAgIUH01pfnWQCIfMiHfTNQb7v7
        r3CmMwDQYJKoZIhvcNAQELBQAwLjEMMAoGA1UECgwDMUlEMR4wHAYDVQQDDBUxSU
        QgSW50ZXJtZWRpYXRlIENBIEEwHhcNMjYwMzIwMTYzNjI2WhcNMjcwMzIwMTYzNj
        I2WjBMMQwwCgYDVQQKDAMxSUQxJTAjBgNVBAMMHHVybjphaWQ6Y29tLjFpZDoxaW
        QtdGtvaWUydmUxFTATBgNVBAUTDDFpZC10a29pZTJ2ZTCCASIwDQYJKoZIhvcNAQ
        EBBQADggEPADCCAQoCggEBANvysXC8ILSnhGcqg66dWKWQLp9pOJZmj6yTbICDVL
        ydBwc1LGEQAW3BCee6XU/Bs0n91uROJCQw3jgrCMiBUOvS6Mjox/8NT1gfZ9sDQG
        VXN5gQ0t9H+r9vEPJ7YL9jhYmlxWQp+fS6vhZNrmH7g4XwEK+EsbMsc8H0ZuxKAM
        1S7p9447G9IOZOkFMK33ZxCCY00DFmwzXu/dkGFfuOaSWM5cazWz/kxqOtcpT73A
        CmJxQ6LU3yzB6VwbfwCWm6klQNKsd1c7FT5hX5ZYtEqDXeIpIGWyQp9TQgNbUIPe
        JCWO2rDLmh0ZXwqXR4yBqKeNWhUjrcnfQgNfrjJ7zB0z8CAwEAAaOB2DCB1TAnBg
        NVHREEIDAehhx1cm46YWlkOmNvbS4xaWQ6MWlkLXRrb2llMnZlMAwGA1UdEwEB/w
        QCMAAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdDgQWBBRroL9zk1MDMjMG4UyIvjZdzd
        X8QTAfBgNVHSMEGDAWgBRnIsB54FVyNiezRKLzTN+AXd+WrjAXBgorBgEEAYPUXw
        EBBAlzb3ZlcmVpZ24wIgYKKwYBBAGD1F8BAgQUMjAyNi0wMy0wNFQwMDowMDowMF
        owDwYKKwYBBAGD1F8BAwQBADANBgkqhkiG9w0BAQsFAAOCAQEAiL2Fwbib2C2bzY
        zRpDsyFGSXmn2LcFO3snxAaoRJxwMqa5UcyNZNaPk9SHtr7mocHO8spAi5q+7Twa
        8+1djZ3HJha5iKW59E9o2/JFBBM8p1ehkHVmlTtF130RFjaaW1BnPvdfjSMCdYHk
        9IIOw90+oAA7omUAlYTXclGLduE2fOfVcAaqIz+wFYS89iJOtlbj+BH8wwa6Ee3P
        1pEe1p4LW4KGdaIrA1/yfarCaglkVlJxA4GsR2y1H43l7ZNijh/lsS+iRJWXvBWG
        qecVx+GY/jPpvG4ahObRO4/MW5F1i3fKvkE0UX4juC5t0nPtCbRsQFRmbIcQv+Oc
        LJV9MexzCCA0gwggIwoAMCAQICFEhBGCtvI+p+lYa/sOD7w5IrskGxMA0GCSqGSI
        b3DQEBCwUAMCYxDDAKBgNVBAoMAzFJRDEWMBQGA1UEAwwNMUlEIFJvb3QgQ0EgQT
        AeFw0yNjAzMTQxNDEzNDdaFw0zMTAzMTMxNDEzNDdaMC4xDDAKBgNVBAoMAzFJRD
        EeMBwGA1UEAwwVMUlEIEludGVybWVkaWF0ZSBDQSBBMIIBIjANBgkqhkiG9w0BAQ
        EFAAOCAQ8AMIIBCgKCAQEAueeMbFQ0VCd3zBECEit2soc9g0xaRwzL4QT+jB6k7f
        9dehwyTY/tqlyXQJlR/BnV8zMJv7bfZ6xq8eEnd73HaHcKVJxdg4VQEmfHtk4mGA
        fWuAy7j3N5TsPpcFTqgkJlAwUp3kH3yDVPvO1qHzbVmUFdvDscthxQ3xYVP1pCPd
        WsoiP4oR0L0EyaaqmTwG2J/hIw/vAGqwWx4CrMsg8VvKDpsLPNp2IZ/HkXc+ztw3
        tsPXKWaLiTMli8RvZ8FEjsQ933Nfr23DHqEZgS0QA8fUZoaxzogdhxVue/W7KnZM
        8ENdP0jOf0l5oUncGo8VP5p5BmQhP73J3bVMyeQf7cIwIDAQABo2YwZDASBgNVHR
        MBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUZyLAeeBVcj
        Yns0Si80zfgF3flq4wHwYDVR0jBBgwFoAUw7fpWXXFX/lGDy85m5SqTPkl8PAwDQ
        YJKoZIhvcNAQELBQADggEBAIVAxZlTfr2eEitQkDzx/Vxs5CftPYgIVJAt5SzSvo
        VjKQWfkth7PClZeGjGmZg9vozqwuFo+Tnvq1bCe8loiZn0PXwsjEeNxgKAnAGcg7
        KvacsnyH120DuvnT1NE33y/vR4GNqpnvFzf77DqlmN4BL8Yoa1vYp1XNehHg79Yk
        S3FlGXuaN7ku7WU3Uuv25Em9ZbvNbfZyvGGeto8TWNkgfWnF/asfTFjYwUrF+8k4
        xxAFZ/0OjjM3Y0v0mpdf0XAE8a846PG59tn3qnopCQmqKuJTiv5CgWX8/RdARjVR
        /eQIwoaduW5YhmEFzMz24kLlJ5us6jHSGCYPzbT84OpLowggMhMIICCaADAgECAh
        RnIjFxQzVLiE7JnREz6PpYT9J0DzANBgkqhkiG9w0BAQsFADAmMQwwCgYDVQQKDA
        MxSUQxFjAUBgNVBAMMDTFJRCBSb290IENBIEEwIBcNMjYwMzE0MTQxMzQ3WhgPMj
        A1NjAzMDYxNDEzNDdaMCYxDDAKBgNVBAoMAzFJRDEWMBQGA1UEAwwNMUlEIFJvb3
        QgQ0EgQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOAkpJayeSScKq
        R0JEmx+i6EGae5F6roRJsqGQRA/fwZMsw7JXeKNyMhXcb2n6w7uHuWA8xiMYx4Ar
        wr8FIGxGben3pjqkjPdVTyjLgczBKtK7Rws+yf70v57H8N/zaoBTfo/qtR8hx1cf
        i91vMED1q1S6iNkVBT8lPaHmS+lymmi9DzSMC9jcQCjLnObkPwVDzYw7IeyODOYA
        +l/Vkf+GRJ71HdLJYpfHyTy0Y8OqJtnqv5BZeaV1u5oqXX9rn4mBCHNZRAbX9+JK
        wljNzxL55dEbOHhIqw4q8cezxT9fBjoKDcmkPDTWWUjqguizK1naFzur/DCkFXAn
        CJ0bE33T0CAwEAAaNFMEMwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBA
        MCAQYwHQYDVR0OBBYEFMO36Vl1xV/5Rg8vOZuUqkz5JfDwMA0GCSqGSIb3DQEBCw
        UAA4IBAQAIUV87JRvdpKGik3xkdij2bzj97MWbxwXpn8G+LSAsGnoGZTbR87aj+6
        nC6ln7BxtAmqG/Htq24zI6T2jGPNd9vJIJe4KFT0xLqtwH+Y6GTgKx34s4EJfa+U
        cE/Rt8vwIA052QxerlCreT9bvD1HfLenVADbyIzL6g+nlfBEYqDLvgS+xqWw78u7
        Jr5rAqctYrGNGkpYdddixm6Cbnhkm4jMd+cDCq+qH18tBBPiM9icT19fqz88WfWC
        OYmHFBFabQWVtCJPN7C1yXVRume+OWsJzgEJ5K4kcLdm9K/yUW5ru00K8wL/ytD0
        107mH9w2MagpdOMPHKYBGj3ea1huMmMYIBbzCCAWsCAQEwRjAuMQwwCgYDVQQKDA
        MxSUQxHjAcBgNVBAMMFTFJRCBJbnRlcm1lZGlhdGUgQ0EgQQIUH01pfnWQCIfMiH
        fTNQb7v7r3CmMwDQYJYIZIAWUDBAIBBQAwCwYJKoZIhvcNAQELBIIBANlEWSrD7C
        9a1OdJkDysB9UvvSrYkdArqu4BjHu0nJxWJdHURKtXW73SYQK6eBYhGm+9FOgCdw
        syV+JsYijmeBMyB3iAwtYWWbEbjAnb0uj0WH2vhNEzKR8KYpus/YYauACqBPDCea
        BbFE7iFmhW1p9Zj6lSZ+M3EkuUTrZMuBadNxzWwOOdVls2+r8XSos8TgSRcnMsg4
        FdIs2KSL3pUAAMLLJEwUpBZ5VAIMlmFgUu/KSXfj97hnyl7qycq7TofKjLsLukqv
        U+58Oqs2eA8SxRnWQbvBs41JwywSZmAZ+2+gokICuWjteUnoUAkb1mPEy8ylFsK9
        jwbTSSBm9b2eU=; aid=urn:aid:com.1id:1id-tkoie2ve

RFC example 6 of 6: hardware email attestation per
draft-drake-email-hardware-attestation-00.

  Trust tier:  sovereign (hardware TPM, typ=TPM)
  Identity:    urn:aid:com.1id:1id-tkoie2ve
  Device:      Intel firmware TPM (PTT)
  SDK:         Python (oneid-sdk) v1.3.2
  Mode:        Mode 1 only (direct attestation)
  Header:      Hardware-Attestation only

What to look for:
  - Only Hardware-Attestation is present;
    no Hardware-Trust-Proof header.
  - Same identity and device as example 1,
    but sent via the Python SDK.
  - Demonstrates that Mode 1 and Mode 2
    are independent and composable.
  - The aid URN matches example 1.

C.7. Verification Failure Examples

The following Authentication-Results headers illustrate what receiving mail servers emit when verification fails. These are from actual test messages where the attestation was malformed or tampered with. Implementers building verifiers should emit similar diagnostic information in the parenthetical comment.¶

Mode 2 (SD-JWT Trust Proof) failure -- message-binding nonce mismatch, indicating the SD-JWT was not bound to this specific message (possible replay or header modification):¶

Authentication-Results: mailpal.com; hw-trust=fail
  header.trust_tier=declared header.registry=1id.com
  (Message-binding nonce mismatch: got
  'uVgDzsXUJUPch1I-hRM3vGgip4uIvrkE1aeixhsp3OU', expected
  'lB_mxWwfU9o301aGO4Yb3GdTzKm)

Mode 1 (Direct Hardware Attestation) failure -- cryptographic signature does not match, indicating the message body or signed headers were modified after signing (or the signing key does not match the certificate chain):¶

Authentication-Results: mailpal.com; hw-attest=fail
  header.typ=TPM header.alg=RS256 header.tier=sovereign
  header.aid=urn:aid:com.1id:1id-tkoie2ve
  (Signature verification failed: Cryptographic signature
  does not match)