From 2c7874eba3a92bec9002094c1416c454ce7238f0 Mon Sep 17 00:00:00 2001
From: David Waite <dwaite@pingidentity.com>
Date: Wed, 11 Oct 2023 11:43:18 -0600
Subject: [PATCH] Add example for review.

Signature on the example is currently invalid.
---
 index.bs | 53 +++++++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 43 insertions(+), 10 deletions(-)

diff --git a/index.bs b/index.bs
index c769c3ba1..b0ec1201d 100644
--- a/index.bs
+++ b/index.bs
@@ -5827,16 +5827,7 @@ The attestation certificate MUST have the following fields/extensions:
     The extension MUST NOT be marked as critical.
 
     Note that an X.509 Extension encodes the DER-encoding of the value in an OCTET STRING.
-    Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid. Here is a sample, encoded Extension structure:
-
-    <pre>
-  30 21                                     -- SEQUENCE
-    06 0b 2b 06 01 04 01 82 e5 1c 01 01 04  -- 1.3.6.1.4.1.45724.1.1.4
-    04 12                                   -- OCTET STRING
-      04 10                                 -- OCTET STRING
-        cd 8c 39 5c 26 ed ee de             -- AAGUID
-        65 3b 00 79 7d 03 ca 3c
-    </pre>
+    Thus, the AAGUID MUST be wrapped in <i>two</i> OCTET STRINGS to be valid.
 
 - The Basic Constraints extension MUST have the CA component set to [FALSE].
 
@@ -5848,6 +5839,48 @@ The firmware of a particular authenticator model MAY be differentiated using the
     (`id-fido-gen-ce-fw-version`). When present, this attribute contains an INTEGER with a non-negative value which is incremented for new
     firmware release versions. The extension MUST NOT be marked as critical.
 
+For example, the following is an attestation certificate containing the above extension OIDs as well as required fields:
+
+<pre>
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 16909060 (0x1020304)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = Example attestation certificate
+        Validity
+            Not Before: Aug  1 00:00:00 2014 GMT
+            Not After : Sep  4 00:00:00 2050 GMT
+        Subject: C = US, O = WebAuthn WG, CN = Attestation example
+        Subject Public Key Info:
+            Public Key Algorithm: id-ecPublicKey
+                Public-Key: (256 bit)
+                ASN1 OID: prime256v1
+                NIST CURVE: P-256
+        X509v3 extensions:
+            1.3.6.1.4.1.45724.1.1.4:
+                ....9\&...e;.y}..<
+            1.3.6.1.4.1.45724.1.1.5:
+                ..*
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+-----BEGIN CERTIFICATE----- <!-- needs more text to prevent bikeshed emdash markdown bug -->
+MIICZzCCAU+gAwIBAgIEAQIDBDANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDEx9F
+eGFtcGxlIGF0dGVzdGF0aW9uIGNlcnRpZmljYXRlMCAXDTE0MDgwMTAwMDAwMFoY
+DzIwNTAwOTA0MDAwMDAwWjBBMQswCQYDVQQGEwJVUzEUMBIGA1UECgwLV2ViQXV0
+aG4gV0cxHDAaBgNVBAMME0F0dGVzdGF0aW9uIGV4YW1wbGUwWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAAR56jssfElwEGIjDNI/62DlKTFx1IPxAL6FnWsPg5cDAbVG
+zdRuz8rj4/MPgentYr0mjUwevTezvL6SqMKu6046o0cwRTAhBgsrBgEEAYLlHAEB
+BAQSBBDNjDlcJu3u3mU7AHl9A8o8MBIGCysGAQQBguUcAQEFBAMCASowDAYDVR0T
+AQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAl50Dl9hg+C7hXTEceW66+yL6p+CE
+2bq0xhu7V/PmtMGKSDe4XDxO2+SDQ/TWpdmxztqK4f7UkSkhcwWOXuHL3WvawHVX
+xqDo02gluhWef7WtjNr4BIaM+Q6PH4rqF8AWtVwqetSXyJT7cddT15uaSEtsN21y
+O5mNLh1DBr8QM7Wu+Myly7JWi2kkIm0io1irfYfkrF8uCRqnFXnzpWkJSX1y9U4G
+usHDtEE7ul6vlMO2TzT566Qay2rig3dtNkZTeEj+6IS93fWxuleYVM/9zrrDRAWV
+J+Vt1Zj49WZxWr5DAd0ZETDmufDGQDkSU+IpgD867ydL7b/eP8u9QurWeQ==
+-----END CERTIFICATE-----
+</pre>
+
 ## TPM Attestation Statement Format ## {#sctn-tpm-attestation}
 
 This attestation statement format is generally used by authenticators that use a Trusted Platform Module as their cryptographic