Dyber PKI Certificate Bundle
=============================

This bundle contains the Dyber trust chain for device attestation.

Contents:
  root-ca.pem           Dyber Root CA (ML-DSA-65, self-signed)
  intermediate-ca.pem   Dyber Device Intermediate CA (ML-DSA-65, signed by Root CA)
  intermediate-ca.der   Same as above, DER-encoded
  crl.pem               Certificate Revocation List (updated every 7 days)
  README.txt            This file

Importing into an airgapped environment:

  1. Transfer this bundle to the target system via approved removable media.
  2. Verify the SHA-256 fingerprints of root-ca.pem and intermediate-ca.pem
     against the values published at https://dyber.org/pki/ or in the
     metadata.json file included with your Dyber hardware shipment.
  3. Import root-ca.pem into your system trust store.
  4. Import intermediate-ca.pem as a subordinate CA.
  5. Import crl.pem to enable revocation checking offline.
  6. Schedule periodic CRL updates by downloading crl.pem from
     https://dyber.org/pki/crl.pem every 7 days, or use the OCSP
     responder at https://ocsp.dyber.org if the system has network access.

Verifying a device certificate chain:

  openssl verify -CAfile root-ca.pem -untrusted intermediate-ca.pem device-ek.pem

  Note: Standard OpenSSL does not yet support ML-DSA-65 verification.
  Use oqs-provider (https://github.com/open-quantum-safe/oqs-provider)
  or the Dyber QuantaCore SDK which includes post-quantum verification.

Contact:

  Revocation requests: legal@dyber.org
  Technical support:   support@dyber.org
  PKI page:            https://dyber.org/pki/
  Policy:              https://dyber.org/pki/policy/

Dyber, Inc.
