(you have an SSH server with a wall time that is not correlated with anything, you have a client, you have a CA that issues SSH certs. You want the server to be able to verify that the cert is fresh, but can't use validity dates because you have a different idea of time. So, server does TPm2_GetTime(), sticks the attestation in the SSH banner, client retrieves that, passes it to the CA, CA puts it in the cert, client gives the cert to the server, server knows cert was issued after that time)