CDD: Clarify the key attestation is required only for new devices

am: 59f5208e19

Change-Id: Id1b0fe34aa6891ee65cc7efaae346fcc7af8a08d

1 files changed, 4 insertions, 3 deletions

diff --git a/9_security-model/9_11_keys-and-credentials.md b/9_security-model/9_11_keys-and-credentials.md
index b650d483..503ed900 100644
--- a/9_security-model/9_11_keys-and-credentials.md
+++ b/9_security-model/9_11_keys-and-credentials.md
@@ -40,8 +40,9 @@ a different key MAY be used for each 100,000 units.
 
 Note that if a device implementation is already launched on an earlier Android
 version, such a device is exempted from the requirement to have a
-hardware-backed keystore, unless it declares the `android.hardware.fingerprint`
-feature which requires a hardware-backed keystore.
+hardware-backed keystore and support the key attestation, unless it declares
+the `android.hardware.fingerprint` feature which requires a hardware-backed
+keystore.
 
 ### 9.11.1\. Secure Lock Screen
 
@@ -146,4 +147,4 @@ method with a more restrictive quality constant than
 *    [C-6-3] MUST NOT reset the password expiration timers set by
 [`DevicePolicyManager.setPasswordExpirationTimeout()`](http://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#setPasswordExpirationTimeout%28android.content.ComponentName,%20long%29).
 *    [C-6-4] MUST NOT authenticate access to keystores if the application has
-called [`KeyGenParameterSpec.Builder.setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setUserAuthenticationRequired%28boolean%29)).
\ No newline at end of file
+called [`KeyGenParameterSpec.Builder.setUserAuthenticationRequired(true)`](https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder.html#setUserAuthenticationRequired%28boolean%29)).