Device Identity with DICE and RIoT: Keys and Certificates

This draft specification describes a cryptographic device identity and attestation scheme based on the TLS protocol and X.509 client certificates.  The protocol and certificate formats can be implemented by any type of security processor, but are well suited to DICE+RIoT security architectures. Devices without hardware-based security can also implement the protocol in software, although the resultant identity and attestations will be of lower assurance.