You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Context.
PDO currently allows to set the expected basename (related to EPID attestations) in the TP policy. This value check is enforced at enclave registration time by the TP.
Recall that:
in EPID, the basename is directly derived from the SPID (the service provider ID assigned by the Intel Attestation Service)
(this claim has to be confirmed) at verification time, IAS checks whether the SPID in the quote matches the one associated with the owner of the API-key.
Implications.
Given that the TP only allows setting a single basename, this means that:
any eservice that wants to attest and register a contract enclave has to use the same SPID
any enclave quote with such SPID has to be verified through the associated API key to contact IAS.
Notes.
Presumably this will be a non-issue as the attestation mechanism transitions to DCAP.
Most likely, by removing the basename set/check in TP, EPID and DCAP attestations/verifications could use the same abstract API in the TP, as they would only need mrenclave and public key of the hardware manufacturer to verify attestations.
The text was updated successfully, but these errors were encountered:
Context.
PDO currently allows to set the expected basename (related to EPID attestations) in the TP policy. This value check is enforced at enclave registration time by the TP.
Recall that:
Implications.
Given that the TP only allows setting a single basename, this means that:
Notes.
The text was updated successfully, but these errors were encountered: