Fuck my life, a #YubiHSM can: - Attest asymmetric keys - Generate asymmetric wrap keys - CANNOT attest asymmetric wrap keys I.e. when you're trying to back up your HSM to another HSM, it's cryptographically impossible to prove that it will be encrypted to the HSM you intend to.

@Logicb0x So on the remote side or for a public audit, you only see that your keys have been exported, but you cannot demonstrate what identity they've been exported to, neither how many copies of that identity exist on and off HSM.