diff --git a/evidence.go b/evidence.go
index 5969baa..abecdef 100644
--- a/evidence.go
+++ b/evidence.go
@@ -5,6 +5,7 @@ package ccatoken
 
 import (
 	"crypto"
+	"crypto/ecdsa"
 	"crypto/rand"
 	"crypto/sha256"
 	"crypto/sha512"
@@ -18,6 +19,7 @@ import (
 	"github.com/veraison/ccatoken/platform"
 	"github.com/veraison/ccatoken/realm"
 	cose "github.com/veraison/go-cose"
+	"github.com/veraison/psatoken"
 )
 
 // CBORCollection is a wrapper containing the CBOR data for both platform and
@@ -299,9 +301,24 @@ func (e *Evidence) Verify(iak crypto.PublicKey) error {
 		return fmt.Errorf("extracting RAK from the realm token: %w", err)
 	}
 
-	rak, err := ecdsaPublicKeyFromRaw(rawRAK)
+	var rak *ecdsa.PublicKey
+
+	_, err = e.RealmClaims.GetProfile()
 	if err != nil {
-		return fmt.Errorf("decoding RAK: %w", err)
+		switch err {
+		case psatoken.ErrOptionalClaimMissing:
+			rak, err = ecdsaPublicKeyFromRaw(rawRAK)
+			if err != nil {
+				return fmt.Errorf("decoding RAK: %w", err)
+			}
+		default:
+			return fmt.Errorf("extracting realm profile: %w", err)
+		}
+	} else {
+		rak, err = ecdsaPublicKeyFromCOSE(rawRAK)
+		if err != nil {
+			return fmt.Errorf("decoding RAK: %w", err)
+		}
 	}
 
 	// Next verify the realm token
diff --git a/evidence_test.go b/evidence_test.go
index 80decad..f243d81 100644
--- a/evidence_test.go
+++ b/evidence_test.go
@@ -30,7 +30,7 @@ func mustBuildValidCcaRealmClaims(t *testing.T) realm.IClaims {
 	err = c.SetHashAlgID(testHashAlgID)
 	require.NoError(t, err)
 
-	err = c.SetPubKey(testRAKPubRaw)
+	err = c.SetPubKey(testRAKPubCOSE)
 	require.NoError(t, err)
 
 	err = c.SetPubKeyHashAlgID(testPubKeyHashAlgID)
@@ -164,7 +164,7 @@ func TestEvidence_sign_and_verify_realm_key_mismatch(t *testing.T) {
 
 	// now set a different key from the one which is going to be used for
 	// signing
-	err = EvidenceIn.RealmClaims.SetPubKey(testAltRAKPubRaw)
+	err = EvidenceIn.RealmClaims.SetPubKey(testAltRAKPubCOSE)
 	assert.NoError(t, err)
 
 	ccaToken, err := EvidenceIn.ValidateAndSign(pSigner, rSigner)
@@ -260,7 +260,7 @@ func TestEvidence_GetRealmPubKey_ok(t *testing.T) {
 	)
 	require.NoError(t, err)
 
-	expected := &testRAKPubRaw
+	expected := &testRAKPubCOSE
 
 	actual := e.GetRealmPublicKey()
 	assert.Equal(t, expected, actual)
@@ -485,8 +485,10 @@ func TestEvidence_Verify_no_message(t *testing.T) {
 	assert.EqualError(t, err, "no message found")
 }
 
-func TestEvidence_Verify_RMM(t *testing.T) {
-	b := mustHexDecode(t, testRMMEvidence)
+func TestEvidence_Verify_RMM_Legacy(t *testing.T) {
+	b := mustHexDecode(t, testRMMLegacyEvidence)
+
+	fmt.Printf("%x\n", b)
 
 	e, err := DecodeAndValidateEvidenceFromCBOR(b)
 	require.NoError(t, err)
@@ -572,3 +574,37 @@ func TestEvidence_Validate_nagative(t *testing.T) {
 	assert.Contains(t, err.Error(), "realm challenge claim: wrong syntax")
 
 }
+
+func Test_UnmarshalCBOR_InvalidEntries_MissingSign1Tag(t *testing.T) {
+	tv := []byte{
+		0xd9, 0x01, 0x8f, // tag(399)
+		0xa2,             // map(2)
+		0x19, 0xac, 0xca, // unsigned(44234)
+		0x42,       // bytes(2)
+		0xde, 0xad, // h'dead'
+		0x19, 0xac, 0xd1, // unsigned(44241)
+		0x42,       // bytes(2)
+		0xbe, 0xef, // h'beef'
+	}
+	e := Evidence{}
+	err := e.UnmarshalCBOR(tv)
+	assert.ErrorContains(t, err, "decoding of CCA evidence failed")
+}
+
+func Test_UnmarshalCBOR_InvalidEntries_EmptySign1(t *testing.T) {
+	tv := []byte{
+		0xd9, 0x01, 0x8f,
+		0xa2,
+		0x19, 0xac, 0xca,
+		0x4e,
+		// invalid platform token
+		0xd2, 0x84, 0x44, 0xa1, 0x01, 0x38, 0x22, 0xa0, 0x42, 0xde, 0xad, 0x42, 0xbe, 0xef,
+		0x19, 0xac, 0xd1,
+		0x4e,
+		// invalid realm token
+		0xd2, 0x84, 0x44, 0xa1, 0x01, 0x38, 0x22, 0xa0, 0x42, 0xde, 0xad, 0x42, 0xbe, 0xef,
+	}
+	e := Evidence{}
+	err := e.UnmarshalCBOR(tv)
+	assert.ErrorContains(t, err, "decoding of CCA evidence failed")
+}
diff --git a/go.mod b/go.mod
index a8a60ad..88a369e 100644
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/lestrrat-go/jwx/v2 v2.0.8
 	github.com/stretchr/testify v1.8.1
 	github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53
-	github.com/veraison/go-cose v1.1.0
+	github.com/veraison/go-cose v1.2.1
 	github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4
 )
 
diff --git a/go.sum b/go.sum
index b4fd58e..69174ba 100644
--- a/go.sum
+++ b/go.sum
@@ -37,8 +37,8 @@ github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKs
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53 h1:5gnX2TrGd/Xz8DOp2OaLtg/jLoIubSUTrgz6iZ58pJ4=
 github.com/veraison/eat v0.0.0-20220117140849-ddaf59d69f53/go.mod h1:+kxt8iuFiVvKRs2VQ1Ho7bbAScXAB/kHFFuP5Biw19I=
-github.com/veraison/go-cose v1.1.0 h1:AalPS4VGiKavpAzIlBjrn7bhqXiXi4jbMYY/2+UC+4o=
-github.com/veraison/go-cose v1.1.0/go.mod h1:7ziE85vSq4ScFTg6wyoMXjucIGOf4JkFEZi/an96Ct4=
+github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc=
+github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8=
 github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4 h1:N7qg7vDF2mUg7I+8AoU+ieJ20cgcShwFHXHkV5b2YAA=
 github.com/veraison/psatoken v1.2.1-0.20240719122628-26fe500fd5d4/go.mod h1:6+WZzXr0ACXYiUAJJqTaCxW43gY2+gEaCoVNdDv3+Bw=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
diff --git a/platform/claims.go b/platform/claims.go
index f88d215..1c44db2 100644
--- a/platform/claims.go
+++ b/platform/claims.go
@@ -11,7 +11,8 @@ import (
 	"github.com/veraison/psatoken"
 )
 
-const ProfileName = "http://arm.com/CCA-SSD/1.0.0"
+const ProfileNameLegacy = "http://arm.com/CCA-SSD/1.0.0"
+const ProfileName = "tag:arm.com,2023:cca_platform#1.0.0"
 
 // Profile is the psatoken.IProfile implementation for CCA claims. It is
 // registered to associate the claims with the profile name, so that it can be
@@ -22,6 +23,10 @@ func (o Profile) GetName() string {
 	return ProfileName
 }
 
+func (o Profile) GetNameLegacy() string {
+	return ProfileNameLegacy
+}
+
 func (o Profile) GetClaims() psatoken.IClaims {
 	return NewClaims()
 }
@@ -212,7 +217,7 @@ func (c *Claims) GetProfile() (string, error) {
 		return "", err
 	}
 
-	if profileString != c.CanonicalProfile {
+	if profileString != c.CanonicalProfile && profileString != ProfileNameLegacy {
 		return "", fmt.Errorf("%w: expecting %q, got %q",
 			psatoken.ErrWrongProfile, c.CanonicalProfile, profileString)
 	}
diff --git a/platform/claims_test.go b/platform/claims_test.go
index 44b32e2..87916b3 100644
--- a/platform/claims_test.go
+++ b/platform/claims_test.go
@@ -182,7 +182,6 @@ func Test_CCAPlatform_UnmarshalCBOR_ok_mandatory_only(t *testing.T) {
 	actualSwComp, err := c.GetSoftwareComponents()
 	assert.NoError(t, err)
 	assert.Equal(t, expectedSwComp, actualSwComp)
-
 }
 
 func Test_CCAPlatform_Claims_UnmarshalCBOR_bad_input(t *testing.T) {
@@ -216,7 +215,7 @@ func Test_CCAPlatform_MarshalJSON_ok(t *testing.T) {
 	c := mustBuildValidClaims(t, true)
 
 	expected := `{
-	   "cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
+	   "cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
 	   "cca-platform-challenge":  "AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQE=",
 	   "cca-platform-implementation-id":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
 	   "cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
@@ -309,18 +308,16 @@ func Test_CCAPlatform_UnmarshalJSON_negatives(t *testing.T) {
 func Test_DecodeClaims_CCAPlatform_ok(t *testing.T) {
 	tvs := []string{
 		testEncodedCcaPlatformClaimsAll,
+		testEncodedCcaPlatformLegacyClaimsAll,
 		testEncodedCcaPlatformClaimsMandatoryOnly,
+		testEncodedCcaPlatformLegacyClaimsMandatoryOnly,
 	}
 
 	for _, tv := range tvs {
 		buf := mustHexDecode(t, tv)
-		c, err := DecodeAndValidateClaimsFromCBOR(buf)
-
-		assert.NoError(t, err)
+		_, err := DecodeAndValidateClaimsFromCBOR(buf)
 
-		actualProfile, err := c.GetProfile()
 		assert.NoError(t, err)
-		assert.Equal(t, ProfileName, actualProfile)
 	}
 }
 
@@ -374,7 +371,7 @@ func Test_DecodeJSONClaims_CcaPlatform(t *testing.T) {
 	assert.NoError(t, err)
 	actualProfile, err := c.GetProfile()
 	assert.NoError(t, err)
-	assert.Equal(t, ProfileName, actualProfile)
+	assert.Equal(t, ProfileNameLegacy, actualProfile)
 }
 
 func Test_DecodeUnvalidatedJSONCCAClaims(t *testing.T) {
diff --git a/platform/pretty_test_vectors.go b/platform/pretty_test_vectors.go
index 958eb27..fd7a9ea 100644
--- a/platform/pretty_test_vectors.go
+++ b/platform/pretty_test_vectors.go
@@ -1,10 +1,22 @@
-// Copyright 2021-2024 Contributors to the Veraison project.
-// SPDX-License-Identifier: Apache-2.0
-
 package platform
 
 // automatically generated from CcaPlatformClaimsAll.diag
 var testEncodedCcaPlatformClaimsAll = `
+a919010978237461673a61726d2e636f6d2c323032333a6363615f706c61
+74666f726d23312e302e300a582001010101010101010101010101010101
+0101010101010101010101010101010119095c5820000000000000000000
+000000000000000000000000000000000000000000000019010058210102
+020202020202020202020202020202020202020202020202020202020202
+021909614301020319095b19300019095f81a20258200303030303030303
+030303030303030303030303030303030303030303030303055820040404
+040404040404040404040404040404040404040404040404040404040419
+0960782e68747470733a2f2f7665726169736f6e2e6578616d706c652f76
+312f6368616c6c656e67652d726573706f6e7365190962677368612d3235
+36
+`
+
+// automatically generated from CcaPlatformLegacyClaimsAll.diag
+var testEncodedCcaPlatformLegacyClaimsAll = `
 a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 2e302e300a58200101010101010101010101010101010101010101010101
 01010101010101010119095c582000000000000000000000000000000000
@@ -17,6 +29,32 @@ a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 656e67652d726573706f6e7365190962677368612d323536
 `
 
+// automatically generated from CcaPlatformClaimsMandatoryOnly.diag
+var testEncodedCcaPlatformClaimsMandatoryOnly = `
+a819010978237461673a61726d2e636f6d2c323032333a6363615f706c61
+74666f726d23312e302e300a582001010101010101010101010101010101
+0101010101010101010101010101010119095c5820000000000000000000
+000000000000000000000000000000000000000000000019010058210102
+020202020202020202020202020202020202020202020202020202020202
+021909614301020319095b19300019095f81a20258200303030303030303
+030303030303030303030303030303030303030303030303055820040404
+040404040404040404040404040404040404040404040404040404040419
+0962677368612d323536
+`
+
+// automatically generated from CcaPlatformLegacyClaimsMandatoryOnly.diag
+var testEncodedCcaPlatformLegacyClaimsMandatoryOnly = `
+a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
+2e302e300a58200101010101010101010101010101010101010101010101
+01010101010101010119095c582000000000000000000000000000000000
+000000000000000000000000000000001901005821010202020202020202
+020202020202020202020202020202020202020202020202190961430102
+0319095b19300019095f81a2025820030303030303030303030303030303
+030303030303030303030303030303030305582004040404040404040404
+04040404040404040404040404040404040404040404190962677368612d
+323536
+`
+
 // automatically generated from CcaPlatformClaimsInvalidMultiNonce.diag
 var testEncodedCcaPlatformClaimsInvalidMultiNonce = `
 a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
@@ -32,19 +70,6 @@ a9190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
 6368616c6c656e67652d726573706f6e7365190962677368612d323536
 `
 
-// automatically generated from CcaPlatformClaimsMandatoryOnly.diag
-var testEncodedCcaPlatformClaimsMandatoryOnly = `
-a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
-2e302e300a58200101010101010101010101010101010101010101010101
-01010101010101010119095c582000000000000000000000000000000000
-000000000000000000000000000000001901005821010202020202020202
-020202020202020202020202020202020202020202020202190961430102
-0319095b19300019095f81a2025820030303030303030303030303030303
-030303030303030303030303030303030305582004040404040404040404
-04040404040404040404040404040404040404040404190962677368612d
-323536
-`
-
 // automatically generated from CcaPlatformClaimsMissingMandatoryNonce.diag
 var testEncodedCcaPlatformClaimsMissingMandatoryNonce = `
 a8190109781c687474703a2f2f61726d2e636f6d2f4343412d5353442f31
diff --git a/platform/testvectors/cbor/CcaPlatformClaimsAll.diag b/platform/testvectors/cbor/CcaPlatformClaimsAll.diag
index ff73750..4ff00fc 100644
--- a/platform/testvectors/cbor/CcaPlatformClaimsAll.diag
+++ b/platform/testvectors/cbor/CcaPlatformClaimsAll.diag
@@ -1,5 +1,5 @@
 {
-  265: "http://arm.com/CCA-SSD/1.0.0",
+  265: "tag:arm.com,2023:cca_platform#1.0.0",
   10: h'0101010101010101010101010101010101010101010101010101010101010101',
   2396: h'0000000000000000000000000000000000000000000000000000000000000000',
   256: h'010202020202020202020202020202020202020202020202020202020202020202',
diff --git a/platform/testvectors/cbor/CcaPlatformClaimsMandatoryOnly.diag b/platform/testvectors/cbor/CcaPlatformClaimsMandatoryOnly.diag
index e8a2272..70e3484 100644
--- a/platform/testvectors/cbor/CcaPlatformClaimsMandatoryOnly.diag
+++ b/platform/testvectors/cbor/CcaPlatformClaimsMandatoryOnly.diag
@@ -1,5 +1,5 @@
 {
-  265: "http://arm.com/CCA-SSD/1.0.0",
+  265: "tag:arm.com,2023:cca_platform#1.0.0",
   10: h'0101010101010101010101010101010101010101010101010101010101010101',
   2396: h'0000000000000000000000000000000000000000000000000000000000000000',
   256: h'010202020202020202020202020202020202020202020202020202020202020202',
diff --git a/platform/testvectors/cbor/CcaPlatformExample.diag b/platform/testvectors/cbor/CcaPlatformExample.diag
new file mode 100644
index 0000000..a26f62d
--- /dev/null
+++ b/platform/testvectors/cbor/CcaPlatformExample.diag
@@ -0,0 +1,25 @@
+{
+    265: "tag:arm.com,2023:cca_platform#1.0.0",
+    10: h'0D22E08A98469058486318283489BDB36F09DBEFEB1864DF433FA6E54EA2D711',
+    2396: h'7F454C4602010100000000000000000003003E00010000005058000000000000',
+    256: h'0107060504030201000F0E0D0C0B0A090817161514131211101F1E1D1C1B1A1918',
+    2401: h'CFCFCFCF',
+    2395: 12291,
+    2402: "sha-256",
+    2400: "https://veraison.example/.well-known/veraison/verification",
+    2399: [
+        { 1: "RSE_BL1_2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A271F2A916B0B6EE6CECB2426F0B3206EF074578BE55D9BC94F6F3FE3AB86AA', 6: "sha-256" },
+        { 1: "RSE_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'53C234E5E8472B6AC51C1AE1CAB3FE06FAD053BEB8EBFD8977B010655BFDD3C3', 6: "sha-256" },
+        { 1: "RSE_S", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1121CFCCD5913F0A63FEC40A6FFD44EA64F9DC135C66634BA001D10BCF4302A2', 6: "sha-256" },
+        { 1: "AP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1571B5EC78BD68512BF7830BB6A2A44B2047C7DF57BCE79EB8A1C0E5BEA0A501', 6: "sha-256" },
+        { 1: "AP_BL2", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10159BAF262B43A92D95DB59DAE1F72C645127301661E0A3CE4E38B295A97C58', 6: "sha-256" },
+        { 1: "SCP_BL1", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'10122E856B3FCD49F063636317476149CB730A1AA1CFAAD818552B72F56D6F68', 6: "sha-256" },
+        { 1: "SCP_BL2", 5: h'F14B4987904BCB5814E4459A057ED4D20F58A633152288A761214DCD28780B56', 2: h'AA67A169B0BBA217AA0AA88A65346920C84C42447C36BA5F7EA65F422C1FE5D8', 6: "sha-256" },
+        { 1: "AP_BL31", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'2E6D31A5983A91251BFAE5AEFA1C0A19D8BA3CF601D0E8A706B4CFA9661A6B8A', 6: "sha-256" },
+        { 1: "RMM", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'A1FB50E6C86FAE1679EF3351296FD6713411A08CF8DD1790A4FD05FAE8688164', 6: "sha-256" },
+        { 1: "HW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'1A252402972F6057FA53CC172B52B9FFCA698E18311FACD0F3B06ECAAEF79E17', 6: "sha-256" },
+        { 1: "FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'9A92ADBC0CEE38EF658C71CE1B1BF8C65668F166BFB213644C895CCB1AD07A25', 6: "sha-256" },
+        { 1: "TB_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'238903180CC104EC2C5D8B3F20C5BC61B389EC0A967DF8CC208CDC7CD454174F', 6: "sha-256" },
+        { 1: "SOC_FW_CONFIG", 5: h'5378796307535DF3EC8D8B15A2E2DC5641419C3D3060CFE32238C0FA973F7AA3', 2: h'E6C21E8D260FE71882DEBDB339D2402A2CA7648529BC2303F48649BCE0380017', 6: "sha-256" }
+    ]
+}
diff --git a/platform/testvectors/cbor/CcaPlatformLegacyClaimsAll.diag b/platform/testvectors/cbor/CcaPlatformLegacyClaimsAll.diag
new file mode 100644
index 0000000..ff73750
--- /dev/null
+++ b/platform/testvectors/cbor/CcaPlatformLegacyClaimsAll.diag
@@ -0,0 +1,16 @@
+{
+  265: "http://arm.com/CCA-SSD/1.0.0",
+  10: h'0101010101010101010101010101010101010101010101010101010101010101',
+  2396: h'0000000000000000000000000000000000000000000000000000000000000000',
+  256: h'010202020202020202020202020202020202020202020202020202020202020202',
+  2401: h'010203',
+  2395: 12288,
+  2399: [
+    {
+      2: h'0303030303030303030303030303030303030303030303030303030303030303',
+      5: h'0404040404040404040404040404040404040404040404040404040404040404'
+    }
+  ],
+  2400: "https://veraison.example/v1/challenge-response",
+  2402: "sha-256"
+}
diff --git a/platform/testvectors/cbor/CcaPlatformLegacyClaimsMandatoryOnly.diag b/platform/testvectors/cbor/CcaPlatformLegacyClaimsMandatoryOnly.diag
new file mode 100644
index 0000000..e8a2272
--- /dev/null
+++ b/platform/testvectors/cbor/CcaPlatformLegacyClaimsMandatoryOnly.diag
@@ -0,0 +1,15 @@
+{
+  265: "http://arm.com/CCA-SSD/1.0.0",
+  10: h'0101010101010101010101010101010101010101010101010101010101010101',
+  2396: h'0000000000000000000000000000000000000000000000000000000000000000',
+  256: h'010202020202020202020202020202020202020202020202020202020202020202',
+  2401: h'010203',
+  2395: 12288,
+  2399: [
+    {
+      2: h'0303030303030303030303030303030303030303030303030303030303030303',
+      5: h'0404040404040404040404040404040404040404040404040404040404040404'
+    }
+  ],
+  2402: "sha-256"
+}
diff --git a/platform/testvectors/cbor/build-test-vectors.sh b/platform/testvectors/cbor/build-test-vectors.sh
index 47fbb4e..0f0185c 100755
--- a/platform/testvectors/cbor/build-test-vectors.sh
+++ b/platform/testvectors/cbor/build-test-vectors.sh
@@ -7,13 +7,15 @@ set -o pipefail
 
 DIAG_FILES=
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsAll"
-DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsInvalidMultiNonce"
+DIAG_FILES="${DIAG_FILES} CcaPlatformLegacyClaimsAll"
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsMandatoryOnly"
+DIAG_FILES="${DIAG_FILES} CcaPlatformLegacyClaimsMandatoryOnly"
+DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsInvalidMultiNonce"
 DIAG_FILES="${DIAG_FILES} CcaPlatformClaimsMissingMandatoryNonce"
 
 TV_DOT_GO=${TV_DOT_GO?must be set in the environment.}
 
-printf "package psatoken\n\n" > ${TV_DOT_GO}
+printf "package platform\n\n" > ${TV_DOT_GO}
 
 for t in ${DIAG_FILES}
 do
diff --git a/realm/claims.go b/realm/claims.go
index d001701..10daf14 100644
--- a/realm/claims.go
+++ b/realm/claims.go
@@ -8,16 +8,34 @@ import (
 	"github.com/veraison/psatoken"
 )
 
+const ProfileName = "tag:arm.com,2023:realm#1.0.0"
+
 // Claims contains the CCA realm claims. It implements IClaims, which is an
 // extension of psatoken.IClaimBase.
 type Claims struct {
-	Challenge              *eat.Nonce `cbor:"10,keyasint" json:"cca-realm-challenge"`
-	PersonalizationValue   *[]byte    `cbor:"44235,keyasint" json:"cca-realm-personalization-value"`
-	InitialMeasurement     *[]byte    `cbor:"44238,keyasint" json:"cca-realm-initial-measurement"`
-	ExtensibleMeasurements *[][]byte  `cbor:"44239,keyasint" json:"cca-realm-extensible-measurements"`
-	HashAlgID              *string    `cbor:"44236,keyasint" json:"cca-realm-hash-algo-id"`
-	PublicKey              *[]byte    `cbor:"44237,keyasint" json:"cca-realm-public-key"`
-	PublicKeyHashAlgID     *string    `cbor:"44240,keyasint" json:"cca-realm-public-key-hash-algo-id"`
+	Profile                *eat.Profile `cbor:"265,keyasint" json:"cca-realm-profile,omitempty"`
+	Challenge              *eat.Nonce   `cbor:"10,keyasint" json:"cca-realm-challenge"`
+	PersonalizationValue   *[]byte      `cbor:"44235,keyasint" json:"cca-realm-personalization-value"`
+	InitialMeasurement     *[]byte      `cbor:"44238,keyasint" json:"cca-realm-initial-measurement"`
+	ExtensibleMeasurements *[][]byte    `cbor:"44239,keyasint" json:"cca-realm-extensible-measurements"`
+	HashAlgID              *string      `cbor:"44236,keyasint" json:"cca-realm-hash-algo-id"`
+	PublicKey              *[]byte      `cbor:"44237,keyasint" json:"cca-realm-public-key"`
+	PublicKeyHashAlgID     *string      `cbor:"44240,keyasint" json:"cca-realm-public-key-hash-algo-id"`
+}
+
+// NewClaims claims returns a new instance of Claims.
+func NewClaims() IClaims {
+	p := eat.Profile{}
+	if err := p.Set(ProfileName); err != nil {
+		// should never get here as using known good constant as input
+		panic(err)
+	}
+
+	return &Claims{Profile: &p}
+}
+
+func newClaimsForDecoding() IClaims {
+	return &Claims{}
 }
 
 // Setters
@@ -73,8 +91,14 @@ func (c *Claims) SetHashAlgID(v string) error {
 }
 
 func (c *Claims) SetPubKey(v []byte) error {
-	if err := ValidateRealmPubKey(v); err != nil {
-		return err
+	if c.Profile == nil {
+		if err := ValidateRealmPubKey(v); err != nil {
+			return err
+		}
+	} else {
+		if err := ValidateRealmPubKeyCOSE(v); err != nil {
+			return err
+		}
 	}
 
 	c.PublicKey = &v
@@ -110,6 +134,25 @@ func (c Claims) GetChallenge() ([]byte, error) {
 	return n, nil
 }
 
+// If profile is not found return ErrOptionalClaimMissing
+func (c *Claims) GetProfile() (string, error) {
+	if c.Profile == nil {
+		return "", psatoken.ErrOptionalClaimMissing
+	}
+
+	profileString, err := c.Profile.Get()
+	if err != nil {
+		return "", err
+	}
+
+	if profileString != ProfileName {
+		return "", fmt.Errorf("%w: expecting %q, got %q",
+			psatoken.ErrWrongProfile, ProfileName, profileString)
+	}
+
+	return c.Profile.Get()
+}
+
 func (c Claims) GetPersonalizationValue() ([]byte, error) {
 	v := c.PersonalizationValue
 
@@ -168,8 +211,14 @@ func (c Claims) GetPubKey() ([]byte, error) {
 		return nil, psatoken.ErrMandatoryClaimMissing
 	}
 
-	if err := ValidateRealmPubKey(*v); err != nil {
-		return nil, err
+	if c.Profile == nil {
+		if err := ValidateRealmPubKey(*v); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := ValidateRealmPubKeyCOSE(*v); err != nil {
+			return nil, err
+		}
 	}
 
 	return *v, nil
diff --git a/realm/claims_test.go b/realm/claims_test.go
index 7830a33..b093de5 100644
--- a/realm/claims_test.go
+++ b/realm/claims_test.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"github.com/veraison/psatoken"
 )
 
 func mustBuildValidCcaRealmClaims(t *testing.T) IClaims {
@@ -26,7 +27,7 @@ func mustBuildValidCcaRealmClaims(t *testing.T) IClaims {
 	err = c.SetHashAlgID(testHashAlgID)
 	require.NoError(t, err)
 
-	err = c.SetPubKey(testRAKPubRaw)
+	err = c.SetPubKey(testRAKPubCOSE)
 	require.NoError(t, err)
 
 	err = c.SetPubKeyHashAlgID(testPubKeyHashAlgID)
@@ -66,8 +67,8 @@ func Test_CcaRealmClaims_Set_nok(t *testing.T) {
 	assert.EqualError(t, err, expectedErr)
 
 	err = c.SetPubKey([]byte("not-a-valid-point"))
-	expectedErr = "wrong syntax: length 17 (realm public key MUST be 97 bytes)"
-	assert.EqualError(t, err, expectedErr)
+	expectedErr = "wrong syntax"
+	assert.ErrorContains(t, err, expectedErr)
 
 	err = c.SetPubKey([]byte{
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
@@ -80,8 +81,8 @@ func Test_CcaRealmClaims_Set_nok(t *testing.T) {
 		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
 		0xff,
 	})
-	expectedErr = "wrong syntax: checking raw public key coordinates are on curve P-384: failed to unmarshal elliptic curve point"
-	assert.EqualError(t, err, expectedErr)
+	expectedErr = "wrong syntax"
+	assert.ErrorContains(t, err, expectedErr)
 
 	err = c.SetPubKeyHashAlgID("")
 	expectedErr = "invalid null string set for realm pubkey hash alg ID"
@@ -107,6 +108,17 @@ func Test_CcaRealmClaims_MarshalCBOR_all_claims(t *testing.T) {
 	assert.Equal(t, expected, actual)
 }
 
+func Test_CcaRealmLegacyClaims_UnmarshalCBOR_ok(t *testing.T) {
+	buf := mustHexDecode(t, testEncodedCcaRealmLegacyClaimsAll)
+
+	c, err := DecodeAndValidateClaimsFromCBOR(buf)
+	assert.NoError(t, err)
+
+	k, err := c.GetPubKey()
+	assert.NoError(t, err)
+	assert.Equal(t, testRAKPubRaw, k)
+}
+
 func Test_CcaRealmClaims_UnmarshalCBOR_ok(t *testing.T) {
 	buf := mustHexDecode(t, testEncodedCcaRealmClaimsAll)
 
@@ -140,7 +152,7 @@ func Test_CcaRealmClaims_UnmarshalCBOR_ok(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, expectedHashAlgID, actualHashAlgID)
 
-	expectedPubKey := testRAKPubRaw
+	expectedPubKey := testRAKPubCOSE
 	actualPubKey, err := c.GetPubKey()
 	assert.NoError(t, err)
 	assert.Equal(t, expectedPubKey, actualPubKey)
@@ -191,6 +203,7 @@ func Test_CcaRealm_Claims_MarshalJSON_ok(t *testing.T) {
 	c := mustBuildValidCcaRealmClaims(t)
 
 	expected := `{
+  "cca-realm-profile": "tag:arm.com,2023:realm#1.0.0",
   "cca-realm-challenge": "QUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQg==",
   "cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
   "cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
@@ -202,7 +215,7 @@ func Test_CcaRealm_Claims_MarshalJSON_ok(t *testing.T) {
   ]
   ,
   "cca-realm-hash-algo-id": "sha-256",
-  "cca-realm-public-key": "BIEZWICiIH+5VgMqPLl/XaWvcm/8txXuFkeEp/sWwGCWvdlGKjJlCykSqFUVcNbqHzstH32oonX6ADMPAHhhi8PhSVScgXDTLsVYkKf57HifHxiukusV0iKvlx2XHJZa8Q==",
+  "cca-realm-public-key": "pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=",
   "cca-realm-public-key-hash-algo-id": "sha-512"
 }`
 	actual, err := ValidateAndEncodeClaimsToJSON(c)
@@ -223,7 +236,7 @@ func Test_CcaRealmClaims_UnmarshalJSON_ok(t *testing.T) {
   ]
   ,
   "cca-realm-hash-algo-id": "sha-256",
-  "cca-realm-public-key": "BIEZWICiIH+5VgMqPLl/XaWvcm/8txXuFkeEp/sWwGCWvdlGKjJlCykSqFUVcNbqHzstH32oonX6ADMPAHhhi8PhSVScgXDTLsVYkKf57HifHxiukusV0iKvlx2XHJZa8Q==",
+  "cca-realm-public-key": "pAECIAIhWDB2+YgJG+WF7UGAGuz6uFhUjGMFfhaw5nYSC70NL5wp4FbF1BoBMOucIVF4mdwjFGsiWDAo4bBivT6ksxX9IZ8cu1KMtudMpJvhZ3NzT2GhymEDGyu/PZGPL5T/xCKOUJGVRK4=",
   "cca-realm-public-key-hash-algo-id": "sha-512"
 }`
 	_, err := DecodeAndValidateClaimsFromJSON([]byte(tv))
@@ -264,3 +277,28 @@ func Test_CcaRealmClaims_UnmarshalJSON_negatives(t *testing.T) {
 		assert.Error(t, err, "test vector %d failed", i)
 	}
 }
+
+func Test_SetPubKey_legacy_ok(t *testing.T) {
+	c := newClaimsForDecoding()
+	err := c.SetPubKey(testRAKPubRaw)
+	assert.NoError(t, err)
+}
+
+func Test_SetPubKey_legacy_bad(t *testing.T) {
+	c := newClaimsForDecoding()
+	err := c.SetPubKey(testRAKPubCOSE)
+	assert.ErrorContains(t, err, "wrong syntax")
+}
+
+func Test_GetProfile_legacy(t *testing.T) {
+	c := newClaimsForDecoding()
+	_, err := c.GetProfile()
+	assert.ErrorIs(t, err, psatoken.ErrOptionalClaimMissing)
+}
+
+func Test_GetProfile_ok(t *testing.T) {
+	c := NewClaims()
+	profile, err := c.GetProfile()
+	assert.NoError(t, err)
+	assert.Equal(t, ProfileName, profile)
+}
diff --git a/realm/common.go b/realm/common.go
index 186f68f..26ecf4f 100644
--- a/realm/common.go
+++ b/realm/common.go
@@ -6,6 +6,8 @@ import (
 	"errors"
 	"fmt"
 
+	cose "github.com/veraison/go-cose"
+
 	"github.com/veraison/psatoken"
 )
 
@@ -64,6 +66,32 @@ func ValidateRealmPubKey(b []byte) error {
 	return nil
 }
 
+// ValidateRealmPubKeyCOSE returns an error if the provided value does not
+// contain a valid realm public key in CBOR-encoded COSE_Key format
+func ValidateRealmPubKeyCOSE(b []byte) error {
+	var k cose.Key
+
+	if err := k.UnmarshalCBOR(b); err != nil {
+		return fmt.Errorf(
+			"%w: checking realm public key is a CBOR-encoded COSE_Key: %v",
+			psatoken.ErrWrongSyntax, err,
+		)
+	}
+
+	if k.KeyType != cose.KeyTypeEC2 {
+		return fmt.Errorf("%w: realm public key is not EC2", psatoken.ErrWrongSyntax)
+	}
+
+	if err := k.Validate(); err != nil {
+		return fmt.Errorf(
+			"%w: validating EC2 realm public key: %v",
+			psatoken.ErrWrongSyntax, err,
+		)
+	}
+
+	return nil
+}
+
 // ValidateRealmMeas returns an error if the provided value does not contain a
 // valid realm measurement (must be 32, 48, or 64 bytes long).
 func ValidateRealmMeas(b []byte) error {
diff --git a/realm/iclaims.go b/realm/iclaims.go
index 46fdbe1..128c621 100644
--- a/realm/iclaims.go
+++ b/realm/iclaims.go
@@ -22,6 +22,7 @@ type IClaims interface {
 	GetHashAlgID() (string, error)
 	GetPubKey() ([]byte, error)
 	GetPubKeyHashAlgID() (string, error)
+	GetProfile() (string, error)
 
 	// Setters
 	SetChallenge([]byte) error
@@ -31,11 +32,7 @@ type IClaims interface {
 	SetHashAlgID(string) error
 	SetPubKey([]byte) error
 	SetPubKeyHashAlgID(string) error
-}
-
-// NewClaims returns a new instance of realm claims.
-func NewClaims() IClaims {
-	return &Claims{}
+	// TODO(tho) do we need a profile setter?
 }
 
 // DecodeAndValidateClaimsFromCBOR unmarshals and validates CCA realm claims
@@ -55,7 +52,7 @@ func DecodeAndValidateClaimsFromCBOR(buf []byte) (IClaims, error) {
 
 // DecodeClaimsFromCBOR unmarshals CCA realm claims from provided CBOR data.
 func DecodeClaimsFromCBOR(buf []byte) (IClaims, error) {
-	cl := NewClaims()
+	cl := newClaimsForDecoding()
 
 	if err := dm.Unmarshal(buf, cl); err != nil {
 		return nil, err
diff --git a/realm/pretty_test_vectors.go b/realm/pretty_test_vectors.go
index 21c26e3..b687661 100644
--- a/realm/pretty_test_vectors.go
+++ b/realm/pretty_test_vectors.go
@@ -2,111 +2,143 @@ package realm
 
 // automatically generated from CcaRealmClaimsAll.diag
 var testEncodedCcaRealmClaimsAll = `
-a70a58404142414241424142414241424142414241424142414241424142
-414241424142414241424142414241424142414241424142414241424142
-414241424142414219accb58404144414441444144414441444144414441
-444144414441444144414441444144414441444144414441444144414441
-444144414441444144414441444144414419acce58404343434343434343
+a8190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e300a58404142414241424142414241424142414241424142414241
+424142414241424142414241424142414241424142414241424142414241
+424142414241424142414219accb58404144414441444144414441444144
+414441444144414441444144414441444144414441444144414441444144
+414441444144414441444144414441444144414419acce58404343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343434343434343434319accf84
-584043434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434319
+accf84584043434343434343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343584043434343434343434343434343434343434343434343
+434343434343434343584043434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343584043434343434343434343434343434343
+434343434343434343434343434343584043434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343584043434343434343434343
+434343434343434343434343434343434343434343584043434343434343
 434343434343434343434343434343434343434343434343434343434343
-43434343434343434343434343434343434343434343434319accc677368
-612d32353619accd58610481195880a2207fb956032a3cb97f5da5af726f
-fcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b
-2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec78
-9f1f18ae92eb15d222af971d971c965af119acd0677368612d353132
+43434343434343434343434343434343434343434343434343434319accc
+677368612d32353619accd586ba40102200221583076f988091be585ed41
+801aecfab858548c63057e16b0e676120bbd0d2f9c29e056c5d41a0130eb
+9c21517899dc23146b22583028e1b062bd3ea4b315fd219f1cbb528cb6e7
+4ca49be16773734f61a1ca61031b2bbf3d918f2f94ffc4228e50919544ae
+19acd0677368612d353132
 `
 
 // automatically generated from CcaClaimsMissingMandPubKey.diag
 var testEncodedCcaClaimsMissingMandPubKey = `
-a60a58404142414241424142414241424142414241424142414241424142
-414241424142414241424142414241424142414241424142414241424142
-414241424142414219accb58404144414441444144414441444144414441
-444144414441444144414441444144414441444144414441444144414441
-444144414441444144414441444144414419acce58404343434343434343
+a7190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e300a58404142414241424142414241424142414241424142414241
+424142414241424142414241424142414241424142414241424142414241
+424142414241424142414219accb58404144414441444144414441444144
+414441444144414441444144414441444144414441444144414441444144
+414441444144414441444144414441444144414419acce58404343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343434343434343434319accf84
-584043434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434319
+accf84584043434343434343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343584043434343434343434343434343434343434343434343
+434343434343434343584043434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343584043434343434343434343434343434343
+434343434343434343434343434343584043434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343584043434343434343434343
+434343434343434343434343434343434343434343584043434343434343
 434343434343434343434343434343434343434343434343434343434343
-43434343434343434343434343434343434343434343434319accc677368
-612d32353619acd0677368612d353132
+43434343434343434343434343434343434343434343434343434319accc
+677368612d32353619acd0677368612d353132
 `
 
 // automatically generated from CcaClaimsMissingMandExtendedMeas.diag
 var testEncodedCcaClaimsMissingMandExtendedMeas = `
-a60a58404142414241424142414241424142414241424142414241424142
-414241424142414241424142414241424142414241424142414241424142
-414241424142414219accb58404144414441444144414441444144414441
-444144414441444144414441444144414441444144414441444144414441
-444144414441444144414441444144414419acce58404343434343434343
-434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343434343434343434319accc67
-7368612d32353619accd58610481195880a2207fb956032a3cb97f5da5af
-726ffcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea
-1f3b2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9
-ec789f1f18ae92eb15d222af971d971c965af119acd0677368612d353132
+a7190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e300a58404142414241424142414241424142414241424142414241
+424142414241424142414241424142414241424142414241424142414241
+424142414241424142414219accb58404144414441444144414441444144
+414441444144414441444144414441444144414441444144414441444144
+414441444144414441444144414441444144414419acce58404343434343
+434343434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434319
+accc677368612d32353619accd58610481195880a2207fb956032a3cb97f
+5da5af726ffcb715ee164784a7fb16c06096bdd9462a32650b2912a85515
+70d6ea1f3b2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec558
+90a7f9ec789f1f18ae92eb15d222af971d971c965af119acd0677368612d
+353132
 `
 
 // automatically generated from CcaClaimsMissingMandInitialMeas.diag
 var testEncodedCcaClaimsMissingMandInitialMeas = `
-a60a58404142414241424142414241424142414241424142414241424142
-414241424142414241424142414241424142414241424142414241424142
-414241424142414219accb58404144414441444144414441444144414441
-444144414441444144414441444144414441444144414441444144414441
-444144414441444144414441444144414419accf84584043434343434343
+a7190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e300a58404142414241424142414241424142414241424142414241
+424142414241424142414241424142414241424142414241424142414241
+424142414241424142414219accb58404144414441444144414441444144
+414441444144414441444144414441444144414441444144414441444144
+414441444144414441444144414441444144414419accf84584043434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343434343434343434343584043
 434343434343434343434343434343434343434343434343434343434343
+584043434343434343434343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343584043434343434343434343434343434343434343434343434343
+434343434343584043434343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343584043434343434343434343434343434343434343
+434343434343434343434343584043434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-43434343434343434343434343434319accc677368612d32353619accd58
-610481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7fb
-16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa0033
-0f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15d222
-af971d971c965af119acd0677368612d353132
+43434343434343434343434343434343434319accc677368612d32353619
+accd58610481195880a2207fb956032a3cb97f5da5af726ffcb715ee1647
+84a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275
+fa00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb
+15d222af971d971c965af119acd0677368612d353132
 `
 
 // automatically generated from CcaRealmClaimsMissingMandNonce.diag
 var testEncodedCcaRealmClaimsMissingMandNonce = `
-a619accb5840414441444144414441444144414441444144414441444144
-414441444144414441444144414441444144414441444144414441444144
-4144414441444144414419acce5840434343434343434343434343434343
+a7190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e3019accb5840414441444144414441444144414441444144414441
+444144414441444144414441444144414441444144414441444144414441
+4441444144414441444144414419acce5840434343434343434343434343
+434343434343434343434343434343434343434343434343434343434343
+4343434343434343434343434343434343434343434319accf8458404343
 434343434343434343434343434343434343434343434343434343434343
-4343434343434343434343434343434343434319accf8458404343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434343434343434343434343434358
-404343434343434343434343434343434343434343434343434343434343
+434358404343434343434343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434358404343434343434343434343434343434343434343434343
+434343434343434358404343434343434343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434358404343434343434343434343434343434343
+434343434343434343434343434358404343434343434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-434343434343434343434343434343434319accc677368612d32353619ac
-cd58610481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784
-a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa
-00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15
-d222af971d971c965af119acd0677368612d353132
+434343434343434343434343434343434343434319accc677368612d3235
+3619accd58610481195880a2207fb956032a3cb97f5da5af726ffcb715ee
+164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8
+a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae
+92eb15d222af971d971c965af119acd0677368612d353132
 `
 
 // automatically generated from CcaClaimsMissingMandHashAlgID.diag
 var testEncodedCcaClaimsMissingMandHashAlgID = `
-a60a58404142414241424142414241424142414241424142414241424142
+a7190109781c7461673a61726d2e636f6d2c323032333a7265616c6d2331
+2e302e300a58404142414241424142414241424142414241424142414241
+424142414241424142414241424142414241424142414241424142414241
+424142414241424142414219accb58404144414441444144414441444144
+414441444144414441444144414441444144414441444144414441444144
+414441444144414441444144414441444144414419acce58404343434343
+434343434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434319
+accf84584043434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434343
+434343434343434343584043434343434343434343434343434343434343
+434343434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343584043434343434343434343434343
+434343434343434343434343434343434343434343434343434343434343
+434343434343434343434343434343434343434343584043434343434343
+434343434343434343434343434343434343434343434343434343434343
+43434343434343434343434343434343434343434343434343434319accd
+58610481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7
+fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa00
+330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15d2
+22af971d971c965af119acd0677368612d353132
+`
+
+// automatically generated from CcaRealmLegacyClaimsAll.diag
+var testEncodedCcaRealmLegacyClaimsAll = `
+a70a58404142414241424142414241424142414241424142414241424142
 414241424142414241424142414241424142414241424142414241424142
 414241424142414219accb58404144414441444144414441444144414441
 444144414441444144414441444144414441444144414441444144414441
@@ -121,9 +153,9 @@ a60a58404142414241424142414241424142414241424142414241424142
 434343434343434343434343434343434343434343434343434343434343
 434343434343434343434343434343434343584043434343434343434343
 434343434343434343434343434343434343434343434343434343434343
-43434343434343434343434343434343434343434343434319accd586104
-81195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7fb16c0
-6096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa00330f00
-78618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15d222af97
-1d971c965af119acd0677368612d353132
+43434343434343434343434343434343434343434343434319accc677368
+612d32353619accd58610481195880a2207fb956032a3cb97f5da5af726f
+fcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b
+2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec78
+9f1f18ae92eb15d222af971d971c965af119acd0677368612d353132
 `
diff --git a/realm/test_common.go b/realm/test_common.go
index e454808..87bb543 100644
--- a/realm/test_common.go
+++ b/realm/test_common.go
@@ -23,6 +23,7 @@ var (
 	testHashAlgID       = "sha-256"
 	testPubKeyHashAlgID = "sha-512"
 
+	// TODO(tho) use the equivalent in ../test_common.go
 	testRAKPubRaw = []byte{
 		0x04, 0x81, 0x19, 0x58, 0x80, 0xa2, 0x20, 0x7f, 0xb9, 0x56, 0x03, 0x2a,
 		0x3c, 0xb9, 0x7f, 0x5d, 0xa5, 0xaf, 0x72, 0x6f, 0xfc, 0xb7, 0x15, 0xee,
@@ -34,6 +35,19 @@ var (
 		0x92, 0xeb, 0x15, 0xd2, 0x22, 0xaf, 0x97, 0x1d, 0x97, 0x1c, 0x96, 0x5a,
 		0xf1,
 	}
+
+	// TODO(tho) use the equivalent in ../test_common.go
+	testRAKPubCOSE = []byte{
+		0xa4, 0x01, 0x02, 0x20, 0x02, 0x21, 0x58, 0x30, 0x76, 0xf9, 0x88, 0x09,
+		0x1b, 0xe5, 0x85, 0xed, 0x41, 0x80, 0x1a, 0xec, 0xfa, 0xb8, 0x58, 0x54,
+		0x8c, 0x63, 0x05, 0x7e, 0x16, 0xb0, 0xe6, 0x76, 0x12, 0x0b, 0xbd, 0x0d,
+		0x2f, 0x9c, 0x29, 0xe0, 0x56, 0xc5, 0xd4, 0x1a, 0x01, 0x30, 0xeb, 0x9c,
+		0x21, 0x51, 0x78, 0x99, 0xdc, 0x23, 0x14, 0x6b, 0x22, 0x58, 0x30, 0x28,
+		0xe1, 0xb0, 0x62, 0xbd, 0x3e, 0xa4, 0xb3, 0x15, 0xfd, 0x21, 0x9f, 0x1c,
+		0xbb, 0x52, 0x8c, 0xb6, 0xe7, 0x4c, 0xa4, 0x9b, 0xe1, 0x67, 0x73, 0x73,
+		0x4f, 0x61, 0xa1, 0xca, 0x61, 0x03, 0x1b, 0x2b, 0xbf, 0x3d, 0x91, 0x8f,
+		0x2f, 0x94, 0xff, 0xc4, 0x22, 0x8e, 0x50, 0x91, 0x95, 0x44, 0xae,
+	}
 )
 
 func mustHexDecode(t *testing.T, s string) []byte {
diff --git a/realm/testvectors/cbor/CcaClaimsMissingMandExtendedMeas.diag b/realm/testvectors/cbor/CcaClaimsMissingMandExtendedMeas.diag
index 935bb1a..58f8c4c 100644
--- a/realm/testvectors/cbor/CcaClaimsMissingMandExtendedMeas.diag
+++ b/realm/testvectors/cbor/CcaClaimsMissingMandExtendedMeas.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
diff --git a/realm/testvectors/cbor/CcaClaimsMissingMandHashAlgID.diag b/realm/testvectors/cbor/CcaClaimsMissingMandHashAlgID.diag
index 7962d3d..02f5058 100644
--- a/realm/testvectors/cbor/CcaClaimsMissingMandHashAlgID.diag
+++ b/realm/testvectors/cbor/CcaClaimsMissingMandHashAlgID.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
diff --git a/realm/testvectors/cbor/CcaClaimsMissingMandInitialMeas.diag b/realm/testvectors/cbor/CcaClaimsMissingMandInitialMeas.diag
index 370db69..7f55f1a 100644
--- a/realm/testvectors/cbor/CcaClaimsMissingMandInitialMeas.diag
+++ b/realm/testvectors/cbor/CcaClaimsMissingMandInitialMeas.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44239: [
diff --git a/realm/testvectors/cbor/CcaClaimsMissingMandPubKey.diag b/realm/testvectors/cbor/CcaClaimsMissingMandPubKey.diag
index ecf81a7..4d81089 100644
--- a/realm/testvectors/cbor/CcaClaimsMissingMandPubKey.diag
+++ b/realm/testvectors/cbor/CcaClaimsMissingMandPubKey.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
diff --git a/realm/testvectors/cbor/CcaRealmClaimsAll.diag b/realm/testvectors/cbor/CcaRealmClaimsAll.diag
index c7bb09e..01e4441 100644
--- a/realm/testvectors/cbor/CcaRealmClaimsAll.diag
+++ b/realm/testvectors/cbor/CcaRealmClaimsAll.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
@@ -9,6 +10,6 @@
       h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343'
     ],
   44236: "sha-256",
-  44237: h'0481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15d222af971d971c965af1',
+  44237: h'A40102200221583076F988091BE585ED41801AECFAB858548C63057E16B0E676120BBD0D2F9C29E056C5D41A0130EB9C21517899DC23146B22583028E1B062BD3EA4B315FD219F1CBB528CB6E74CA49BE16773734F61A1CA61031B2BBF3D918F2F94FFC4228E50919544AE',
   44240: "sha-512"
 }
diff --git a/realm/testvectors/cbor/CcaRealmClaimsMissingMandNonce.diag b/realm/testvectors/cbor/CcaRealmClaimsMissingMandNonce.diag
index 0506c71..41992a6 100644
--- a/realm/testvectors/cbor/CcaRealmClaimsMissingMandNonce.diag
+++ b/realm/testvectors/cbor/CcaRealmClaimsMissingMandNonce.diag
@@ -1,4 +1,5 @@
 {
+  265: "tag:arm.com,2023:realm#1.0.0",
   44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
   44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
   44239: [
diff --git a/realm/testvectors/cbor/CcaRealmExample.diag b/realm/testvectors/cbor/CcaRealmExample.diag
new file mode 100644
index 0000000..079318a
--- /dev/null
+++ b/realm/testvectors/cbor/CcaRealmExample.diag
@@ -0,0 +1,20 @@
+{
+    265: "tag:arm.com,2023:realm#1.0.0", / eat_profile /
+    10: h'6E86D6D97CC713BC6DD43DBCE491A6B40311C027A8BF85A39DA63E9CE44C132A8A119D296FAE6A6999E9BF3E4471B0CE01245D889424C31E89793B3B1D6B1504', / eat_nonce /
+    44236: "sha-256", / Realm hash algorithm /
+    44240: "sha-256", / RAK hash algorithm /
+    44235: h'54686520717569636B2062726F776E20666F78206A756D7073206F766572203133206C617A7920646F67732E54686520717569636B2062726F776E20666F7820', / PV /
+    44237: << { / RAK /
+        1: 2, / kty=EC2 /
+        -1: 2, / crv=P-384 /
+        -2: h'76F988091BE585ED41801AECFAB858548C63057E16B0E676120BBD0D2F9C29E056C5D41A0130EB9C21517899DC23146B', / x-coordinate /
+        -3: h'28E1B062BD3EA4B315FD219F1CBB528CB6E74CA49BE16773734F61A1CA61031B2BBF3D918F2F94FFC4228E50919544AE' / y-coordinate /
+    } >>,
+    44238: h'311314AB73620350CF758834AE5C65D9E8C2DC7FEBE6E7D9654BBE864E300D49', / RIM /
+    44239: [
+        h'24D5B0A296CC05CBD8068C5067C5BD473B770DDA6AE082FE3BA30ABE3F9A6AB1', / REM[0] /
+        h'788FC090BFC6B8ED903152BA8414E73DAF5B8C7BB1E79AD502AB0699B659ED16', / REM[1] /
+        h'DAC46A58415DC3A00D7A741852008E9CAE64F52D03B9F76D76F4B3644FEFC416', / REM[2] /
+        h'32C6AFC627E55585C03155359F331A0E225F6840DB947DD96EFAB81BE2671939'  / REM[3] /
+    ]
+}
diff --git a/realm/testvectors/cbor/CcaRealmLegacyClaimsAll.diag b/realm/testvectors/cbor/CcaRealmLegacyClaimsAll.diag
new file mode 100644
index 0000000..c7bb09e
--- /dev/null
+++ b/realm/testvectors/cbor/CcaRealmLegacyClaimsAll.diag
@@ -0,0 +1,14 @@
+{
+  10: h'41424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142414241424142',
+  44235: h'41444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144414441444144',
+  44238: h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
+  44239: [
+      h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
+      h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
+      h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343',
+      h'43434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343434343'
+    ],
+  44236: "sha-256",
+  44237: h'0481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92eb15d222af971d971c965af1',
+  44240: "sha-512"
+}
diff --git a/realm/testvectors/cbor/Makefile b/realm/testvectors/cbor/Makefile
new file mode 100644
index 0000000..fd26097
--- /dev/null
+++ b/realm/testvectors/cbor/Makefile
@@ -0,0 +1,13 @@
+# NOTE: the notion of which test vectors will be built is encoded in
+#       build-test-vectors.sh
+
+OUTPUT := ../../pretty_test_vectors.go
+
+DEPS := $(wildcard *.diag)
+
+all: $(OUTPUT)
+
+$(OUTPUT): $(DEPS)
+	env TV_DOT_GO=$(OUTPUT) ./build-test-vectors.sh
+
+clean: ; $(RM) $(OUTPUT)
diff --git a/realm/testvectors/cbor/build-test-vectors.sh b/realm/testvectors/cbor/build-test-vectors.sh
index 74c8b8f..3671db6 100755
--- a/realm/testvectors/cbor/build-test-vectors.sh
+++ b/realm/testvectors/cbor/build-test-vectors.sh
@@ -12,10 +12,11 @@ DIAG_FILES="${DIAG_FILES} CcaClaimsMissingMandExtendedMeas"
 DIAG_FILES="${DIAG_FILES} CcaClaimsMissingMandInitialMeas"
 DIAG_FILES="${DIAG_FILES} CcaRealmClaimsMissingMandNonce"
 DIAG_FILES="${DIAG_FILES} CcaClaimsMissingMandHashAlgID"
+DIAG_FILES="${DIAG_FILES} CcaRealmLegacyClaimsAll"
 
 TV_DOT_GO=${TV_DOT_GO?must be set in the environment.}
 
-printf "package ccatoken \n\n" > ${TV_DOT_GO}
+printf "package realm \n\n" > ${TV_DOT_GO}
 
 for t in ${DIAG_FILES}
 do
diff --git a/test_common.go b/test_common.go
index 383a86e..02e5a79 100644
--- a/test_common.go
+++ b/test_common.go
@@ -6,6 +6,7 @@ import (
 	"crypto/elliptic"
 	"encoding/hex"
 	"errors"
+	"fmt"
 	"reflect"
 	"regexp"
 	"testing"
@@ -25,6 +26,17 @@ var (
 		"x": "gRlYgKIgf7lWAyo8uX9dpa9yb_y3Fe4WR4Sn-xbAYJa92UYqMmULKRKoVRVw1uof",
 		"y": "Oy0ffaiidfoAMw8AeGGLw-FJVJyBcNMuxViQp_nseJ8fGK6S6xXSIq-XHZccllrx"
 	}`
+	testRAKPubCOSE = []byte{
+		0xa4, 0x01, 0x02, 0x20, 0x02, 0x21, 0x58, 0x30, 0x81, 0x19, 0x58, 0x80,
+		0xa2, 0x20, 0x7f, 0xb9, 0x56, 0x03, 0x2a, 0x3c, 0xb9, 0x7f, 0x5d, 0xa5,
+		0xaf, 0x72, 0x6f, 0xfc, 0xb7, 0x15, 0xee, 0x16, 0x47, 0x84, 0xa7, 0xfb,
+		0x16, 0xc0, 0x60, 0x96, 0xbd, 0xd9, 0x46, 0x2a, 0x32, 0x65, 0x0b, 0x29,
+		0x12, 0xa8, 0x55, 0x15, 0x70, 0xd6, 0xea, 0x1f, 0x22, 0x58, 0x30, 0x3b,
+		0x2d, 0x1f, 0x7d, 0xa8, 0xa2, 0x75, 0xfa, 0x00, 0x33, 0x0f, 0x00, 0x78,
+		0x61, 0x8b, 0xc3, 0xe1, 0x49, 0x54, 0x9c, 0x81, 0x70, 0xd3, 0x2e, 0xc5,
+		0x58, 0x90, 0xa7, 0xf9, 0xec, 0x78, 0x9f, 0x1f, 0x18, 0xae, 0x92, 0xeb,
+		0x15, 0xd2, 0x22, 0xaf, 0x97, 0x1d, 0x97, 0x1c, 0x96, 0x5a, 0xf1,
+	}
 	testRAKPubRaw = []byte{
 		0x04, 0x81, 0x19, 0x58, 0x80, 0xa2, 0x20, 0x7f, 0xb9, 0x56, 0x03, 0x2a,
 		0x3c, 0xb9, 0x7f, 0x5d, 0xa5, 0xaf, 0x72, 0x6f, 0xfc, 0xb7, 0x15, 0xee,
@@ -36,16 +48,16 @@ var (
 		0x92, 0xeb, 0x15, 0xd2, 0x22, 0xaf, 0x97, 0x1d, 0x97, 0x1c, 0x96, 0x5a,
 		0xf1,
 	}
-	testAltRAKPubRaw = []byte{
-		0x04, 0x18, 0xe0, 0xbd, 0x6e, 0x32, 0x42, 0xe4, 0x3b, 0x0e, 0x60, 0xf5,
-		0xc9, 0xc4, 0xc5, 0x10, 0xc8, 0xd9, 0xc5, 0x28, 0xa0, 0x5b, 0xd5, 0x5b,
-		0x83, 0xb0, 0x66, 0xfd, 0x64, 0xad, 0xc9, 0xc7, 0x05, 0xcc, 0x71, 0x22,
-		0x64, 0xad, 0x9c, 0xce, 0x80, 0x97, 0xfe, 0xf5, 0x39, 0xa2, 0x20, 0x01,
-		0xc0, 0x48, 0x85, 0x45, 0x2c, 0x8b, 0xeb, 0x03, 0x66, 0xbf, 0x12, 0x81,
-		0x7a, 0x34, 0x6b, 0x5e, 0x7b, 0xf9, 0xcd, 0x9c, 0xa6, 0x41, 0xbc, 0xc2,
-		0xc5, 0x22, 0x50, 0x30, 0xce, 0x08, 0x32, 0xc4, 0xc7, 0xa9, 0xa0, 0x9f,
-		0x38, 0x9b, 0xb2, 0xb1, 0x7d, 0x10, 0xaa, 0x04, 0x09, 0x7c, 0x2c, 0x9a,
-		0x24,
+	testAltRAKPubCOSE = []byte{
+		0xa4, 0x01, 0x02, 0x20, 0x02, 0x21, 0x58, 0x30, 0x76, 0xf9, 0x88, 0x09,
+		0x1b, 0xe5, 0x85, 0xed, 0x41, 0x80, 0x1a, 0xec, 0xfa, 0xb8, 0x58, 0x54,
+		0x8c, 0x63, 0x05, 0x7e, 0x16, 0xb0, 0xe6, 0x76, 0x12, 0x0b, 0xbd, 0x0d,
+		0x2f, 0x9c, 0x29, 0xe0, 0x56, 0xc5, 0xd4, 0x1a, 0x01, 0x30, 0xeb, 0x9c,
+		0x21, 0x51, 0x78, 0x99, 0xdc, 0x23, 0x14, 0x6b, 0x22, 0x58, 0x30, 0x28,
+		0xe1, 0xb0, 0x62, 0xbd, 0x3e, 0xa4, 0xb3, 0x15, 0xfd, 0x21, 0x9f, 0x1c,
+		0xbb, 0x52, 0x8c, 0xb6, 0xe7, 0x4c, 0xa4, 0x9b, 0xe1, 0x67, 0x73, 0x73,
+		0x4f, 0x61, 0xa1, 0xca, 0x61, 0x03, 0x1b, 0x2b, 0xbf, 0x3d, 0x91, 0x8f,
+		0x2f, 0x94, 0xff, 0xc4, 0x22, 0x8e, 0x50, 0x91, 0x95, 0x44, 0xae,
 	}
 	testIAK = `{
 		"kty": "EC",
@@ -123,8 +135,8 @@ var (
 	testCombinedClaimsJSON = `
 	{
 	  "cca-platform-token": {
-		"cca-platform-profile": "http://arm.com/CCA-SSD/1.0.0",
-		"cca-platform-challenge": "GiYROaq2dsJjIkODmlmKF+ZKgB+Xc3EGpwk/5Ilj71s/yc4A2WZsgA8MJgfddE3tSfarRAhlK71IP0zKrE6aiA==",
+		"cca-platform-profile": "tag:arm.com,2023:cca_platform#1.0.0",
+		"cca-platform-challenge": "95Ub6AH+frD8OVYQcFjJFhNO4MZfddA3Fb8juWoXhNvKnP6P6hxG7/i/Y8RniYjQKr8aCr5ycn5joaT1a5v3nw==",
 		"cca-platform-implementation-id": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
 		"cca-platform-instance-id": "AQICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC",
 		"cca-platform-config": "AQID",
@@ -139,6 +151,7 @@ var (
 		"cca-platform-hash-algo-id": "sha-256"
 	  },
 	  "cca-realm-delegated-token": {
+		"cca-realm-profile": "tag:arm.com,2023:realm#1.0.0",
 		"cca-realm-challenge": "QUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQkFCQUJBQg==",
 		"cca-realm-personalization-value": "QURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBREFEQURBRA==",
 		"cca-realm-initial-measurement": "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw==",
@@ -149,7 +162,7 @@ var (
 		  "Q0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQ0NDQw=="
 		],
 		"cca-realm-hash-algo-id": "sha-256",
-		"cca-realm-public-key": "BIEZWICiIH+5VgMqPLl/XaWvcm/8txXuFkeEp/sWwGCWvdlGKjJlCykSqFUVcNbqHzstH32oonX6ADMPAHhhi8PhSVScgXDTLsVYkKf57HifHxiukusV0iKvlx2XHJZa8Q==",
+		"cca-realm-public-key": "pAECIAIhWDCBGViAoiB/uVYDKjy5f12lr3Jv/LcV7hZHhKf7FsBglr3ZRioyZQspEqhVFXDW6h8iWDA7LR99qKJ1+gAzDwB4YYvD4UlUnIFw0y7FWJCn+ex4nx8YrpLrFdIir5cdlxyWWvE=",
 		"cca-realm-public-key-hash-algo-id": "sha-512"
 	  }
 	}
@@ -194,40 +207,41 @@ var (
 	`
 	// nolint:gosec
 	testGoodCCAToken = `
-	d9018fa219acca590192d28443a10126a0590146a9190109781c687474703a2f2f61
-	726d2e636f6d2f4343412d5353442f312e302e300a58401a261139aab676c2632243
-	839a598a17e64a801f97737106a7093fe48963ef5b3fc9ce00d9666c800f0c2607dd
-	744ded49f6ab4408652bbd483f4ccaac4e9a8819095c582000000000000000000000
-	00000000000000000000000000000000000000000000190100582101020202020202
-	02020202020202020202020202020202020202020202020202021909614301020319
-	095b19300019095f81a2025820030303030303030303030303030303030303030303
-	03030303030303030303030558200404040404040404040404040404040404040404
-	040404040404040404040404190960782e68747470733a2f2f7665726169736f6e2e
-	6578616d706c652f76312f6368616c6c656e67652d726573706f6e73651909626773
-	68612d323536584090d4ee4d7799119e20745756b2eb161a082f1b82620b2cdf6ef7
-	f2998c4245858af6c15beac166483d5e9199e080e5c803099f4f43fc6bd8298ec9d8
-	742cb40a19acd15902c3d28444a1013822a0590256a70a5840414241424142414241
+	d9018fa219acca590199d28443a10126a059014da919010978237461673a61726d2e
+	636f6d2c323032333a6363615f706c6174666f726d23312e302e300a5840f7951be8
+	01fe7eb0fc3956107058c916134ee0c65f75d03715bf23b96a1784dbca9cfe8fea1c
+	46eff8bf63c4678988d02abf1a0abe72727e63a1a4f56b9bf79f19095c5820000000
+	00000000000000000000000000000000000000000000000000000000001901005821
+	01020202020202020202020202020202020202020202020202020202020202020219
+	09614301020319095b19300019095f81a20258200303030303030303030303030303
+	03030303030303030303030303030303030305582004040404040404040404040404
+	04040404040404040404040404040404040404190960782e68747470733a2f2f7665
+	726169736f6e2e6578616d706c652f76312f6368616c6c656e67652d726573706f6e
+	7365190962677368612d3235365840f271afdc87a47a7f347eb10677ed998681819e
+	d5d6acf02781c6b649cc49a18859415eea87819ad0cfcdaba5ecfc37468b0d530db2
+	c445e3542f5a43d222e87619acd15902eed28444a1013822a0590281a8190109781c
+	7461673a61726d2e636f6d2c323032333a7265616c6d23312e302e300a5840414241
 	42414241424142414241424142414241424142414241424142414241424142414241
-	42414241424142414241424142414241424142414219accb58404144414441444144
+	42414241424142414241424142414241424142414241424142414219accb58404144
 	41444144414441444144414441444144414441444144414441444144414441444144
-	4144414441444144414441444144414441444144414419acce584043434343434343
+	4144414441444144414441444144414441444144414441444144414419acce584043
 	43434343434343434343434343434343434343434343434343434343434343434343
-	434343434343434343434343434343434343434343434319accf8458404343434343
+	434343434343434343434343434343434343434343434343434343434319accf8458
+	40434343434343434343434343434343434343434343434343434343434343434343
+	43434343434343434343434343434343434343434343434343434343434343584043
 	43434343434343434343434343434343434343434343434343434343434343434343
-	43434343434343434343434343434343434343434343434343584043434343434343
+	43434343434343434343434343434343434343434343434343434343435840434343
 	43434343434343434343434343434343434343434343434343434343434343434343
-	43434343434343434343434343434343434343434343435840434343434343434343
+	43434343434343434343434343434343434343434343434343434358404343434343
 	43434343434343434343434343434343434343434343434343434343434343434343
-	43434343434343434343434343434343434343434358404343434343434343434343
-	43434343434343434343434343434343434343434343434343434343434343434343
-	4343434343434343434343434343434343434319accc677368612d32353619accd58
-	610481195880a2207fb956032a3cb97f5da5af726ffcb715ee164784a7fb16c06096
-	bdd9462a32650b2912a8551570d6ea1f3b2d1f7da8a275fa00330f0078618bc3e149
-	549c8170d32ec55890a7f9ec789f1f18ae92eb15d222af971d971c965af119acd067
-	7368612d3531325860caf1c708a82f01b16d9d8fd8abd2a17ebd7028fe2941015400
-	7172ab562bb8c20b7165ea91c131778a76369309ef9d079cea076be3badd49d056f5
-	7dd849be714946e1ad656655b604b788457f40148b01362d5ab38ceb07148a4641e5
-	9ffd62
+	4343434343434343434343434343434343434343434343434319accc677368612d32
+	353619accd586ba40102200221583081195880a2207fb956032a3cb97f5da5af726f
+	fcb715ee164784a7fb16c06096bdd9462a32650b2912a8551570d6ea1f2258303b2d
+	1f7da8a275fa00330f0078618bc3e149549c8170d32ec55890a7f9ec789f1f18ae92
+	eb15d222af971d971c965af119acd0677368612d3531325860738916f034c55e6f03
+	3194425a4edfaeacdfa2da1ba4c7a05b3c9c5d9128e9980343a46ac95115b9cab3db
+	ed54028676ba0d5d8eb6ce2b454db27ae75a0f234f102d189d47f966e00223b1d27a
+	0ccd14d880f95da740e87794a0b9edd12e5660
 	`
 	// nolint:gosec
 	testBadUnwrappedTokens = `
@@ -266,7 +280,7 @@ var (
 	835051f48f917e01212afe75b26e0412085f33e3a2438d24f3d551760e5636`
 
 	// https://git.trustedfirmware.org/TF-M/tf-m-tools.git/tree/iat-verifier/tests/data/cca_token.cbor
-	testRMMEvidence = `
+	testRMMLegacyEvidence = `
 	d9018fa219acca590293d28444a1013822a0590226a9190109781c687474
 	703a2f2f61726d2e636f6d2f4343412d5353442f312e302e300a5820b597
 	3cb68baa9fc55558786b7ec67f69e40df5ba5aa921cd0c27f40587a011ea
@@ -385,3 +399,27 @@ func ecdsaPublicKeyFromRaw(data []byte) (*ecdsa.PublicKey, error) {
 		Y:     y,
 	}, nil
 }
+
+func ecdsaPublicKeyFromCOSE(buf []byte) (*ecdsa.PublicKey, error) {
+	var k cose.Key
+
+	if err := k.UnmarshalCBOR(buf); err != nil {
+		return nil, err
+	}
+
+	if k.KeyType != cose.KeyTypeEC2 {
+		return nil, fmt.Errorf("key type is not EC2")
+	}
+
+	if err := k.Validate(); err != nil {
+		return nil, err
+	}
+
+	pk, err := k.PublicKey()
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(tho) check safety
+	return pk.(*ecdsa.PublicKey), nil
+}