Hi, I'm implementing support for device attestation support on step-ca, and the attestation certificate, the leaf one in the x5c payload, doesn't include the nonce extension with the challenge token or the SHA256 version of it as it explains in https://developer.apple.com/videos/play/wwdc2022/10143/ Is this implemented? Can it be a device-related problem, meaning that older models do not support this?

I'm curious about suggested workflows for a 3rd party ACME server handling a request for a managed device. Specifically, when the MDM server does not control the ACME server like it likely would when using the ACME payload for the MDM client identity. i.e., an organization with a CA that can distribute client identities using ACME; how should ACME servers validate the request is authorized? The server, of course, would be able to validate that the attestation is valid from Apple, but how would an ACME server validate that the request is authorized for a device? I would assume that the ACME server would use the ClientIdentifier key similarly to a SCEP challenge. And that identifier should be populated in MDM either as a static challenge or dynamically fetched by MDM from the ACME service? Or possibly that the ACME service would need a connection (i.e., through a restful API) to the MDM server to validate it is a device under management and fetch the generated client identifier and therefore determine that the device is authorized to request certs from the enterprise CA? It would be great if the device could attest that it is under management and have an OID for the check-in URL or the APNS topic is registered against. This might eliminate the ACME server's need to authorize a request against the MDM server or help improves the validation of the request etc. In any case, I'm curious on folks' thoughts around this in general :)