Allow 'external' challenge validation during device-attest-01 #68
Description
Device-attest-01 cannot do meaningful checks on persistent-identifiers and hardware-modules without asking a MDM instance or something else about the attested data.
A possible course of action might be implementing a possiblity to check the OIDs (and CSR as a whole) by calling a remote server (e.g. via HTTP Post) similar to how ExternalAccountBinding is implemented currently.
For Apple devices, the OIDs are listed here: https://support.apple.com/en-gb/guide/security/sec8a37b4cb2/web