Key-Attestation-Contingent Certificate Issuance

1 - 20 . (canceled) 21 . A computer-implemented method for providing a token to a client computer based on TPM key attestation, the method comprising: receiving a token request from a client computer, wherein at least a portion of the token request is signed with a first TPM key; verifying the token request; issuing the token in response to verifying the token request; encrypting the token with a secret to form an encrypted token; encrypting the secret with a second TPM key to form an encrypted secret; and sending the encrypted token with the encrypted secret to the client computer. 22 . The computer-implemented method of claim 21 , wherein verifying the token request further comprises determining whether the first TPM key is associated with a TPM that has a third TPM key. 23 . The computer-implemented method of claim 22 , further comprising extracting the third TPM key from the token request. 24 . The computer-implemented method of claim 23 , wherein the first TPM key is a private attestation identity key and the third TPM key is a public attestation identity key. 25 . The computer-implemented method of claim 21 , wherein the token request comprises a key attestation claim. 26 . The computer-implemented method of claim 21 , wherein the token request includes an endorsement key certificate. 27 . The computer-implemented method of claim 26 , further comprising extracting the second TPM key from the endorsement key certificate. 28 . The computer-implemented method of claim 27 , wherein the second TPM key is a TPM public endorsement key. 29 . The computer-implemented method of claim 21 , wherein the token request is received in a single message from the client computer. 30 . The computer-implemented method of claim 21 , wherein the token comprises one of a decryption key, a signing key, an authentication token, and a license. 31 . A health service system comprising a health service computer, wherein the health server computer includes a processor in electronic communication with a memory, the memory storing computer-readable instructions that when executed by the processor cause the health server to: receive a health certificate request from a client computer, wherein at least a portion of the health certificate request is signed with a first TPM key; verify the health certificate request; create a health certificate for the client computer in response to verifying the health certificate request; encrypt the health certificate with a server key to form an encrypted health certificate; encrypt the server key with a second TPM key to form an encrypted server key; and send the encrypted health certificate with the encrypted server key to the client computer. 32 . The health service system of claim 31 , wherein verifying the health certificate request further comprises determining whether the first TPM key is associated with a TPM that has a third TPM key. 33 . The health service system of claim 31 , wherein the health certificate request includes a key attestation claim. 34 . The health service system of claim 33 , further comprising extracting the second TPM key from the key attestation claim. 35 . The health service system of claim 34 , wherein the second TPM key is a TPM public endorsement key. 36 . A computer-implemented method for obtaining a health certificate based on TPM key attestation for a client device, wherein the client device includes a TPM with a public endorsement key, a private endorsement key, an endorsement key certificate, a public attestation identity key, and a private attestation identity key, the method comprising: creating a key claim comprising the public attestation identity key and the public endorsement key from the TPM; signing the key claim with the private attestation identity key from the TPM; creating a health claim comprising health state information regarding the client device; signing the health claim with the private attestation identity key from the TPM; sending a request for a health certificate to a health service with the key claim and the health claim and a log with measurements from the client device; receiving a health blob from the health service; and accessing the health blob to obtain the health certificate. 37 . The computer-implemented method of claim 36 , wherein the health blob comprises an encrypted server key and an encrypted health certificate. 38 . The computer-implemented method of claim 37 , wherein accessing the health blob comprises: parsing the health blob to retrieve the encrypted server key and the encrypted health certificate; using the private endorsement key from the TPM to decrypt the encrypted server key; and using the decrypted server key to decrypt the health certificate. 39 . The computer-implemented method of claim 36 , wherein the health service is communicatively accessible to the client computer over a local network. 40 . The computer-implemented method of claim 36 , wherein the client device initiates the method for obtaining a health certificate automatically.