https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106807#M1212 <P>I will try to rephrase this: Can a user (other than the ISV who has the private signing key) obtain a remote attestation&nbsp;<SPAN style="font-size: 1em;">from (or with the help of) the ISV but without the ISV being able to tamper with this attestation?</SPAN></P> <P>&nbsp;</P> Thu, 08 Jun 2017 16:24:33 GMT David_B_1 2017-06-08T16:24:33Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106804#M1209 <P>Hello,</P> <P>In case external users (other than the enclave developer who has signed the enclave with his private key) &nbsp;need to share data with the application enclave, is it possible for these users to get a certified measurement &nbsp;of the application enclave&nbsp;<SPAN style="font-size: 13.008px;">(e.g. from the quoting enclave)&nbsp;</SPAN><SPAN style="font-size: 1em;">without the enclave developer being able to tamper with this measurement?</SPAN></P> <P>In other words, can the enclave developer prove to an external user that it is safe the share his data with the enclave?</P> <P>Thanks, David</P> Mon, 15 May 2017 13:43:57 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106804#M1209 David_B_1 2017-05-15T13:43:57Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106805#M1210 <P>May want to check this out:</P> <P><A href="https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example" target="_blank">https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example</A></P> Tue, 16 May 2017 13:25:46 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106805#M1210 AArya2 2017-05-16T13:25:46Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106806#M1211 <P>Thanks Arya,</P> <P>However, I don't think it answers my question. What I would like to know is if it is possible for an enclave to provide (with ISV's agreement) a remote attestation to an external user that is not the ISV (i.e. not the enclave developper who signed the enclave).</P> <P>&nbsp;</P> <P>Maybe something like the figure below:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="IAS_ExtUsr.png"><img src="https://community.intel.com/t5/image/serverpage/image-id/9542iFAA8B3087901A250/image-size/large?v=v2&amp;px=999&amp;whitelist-exif-data=Orientation%2CResolution%2COriginalDefaultFinalSize%2CCopyright" role="button" title="IAS_ExtUsr.png" alt="IAS_ExtUsr.png" /></span></P> Tue, 16 May 2017 15:55:58 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106806#M1211 David_B_1 2017-05-16T15:55:58Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106807#M1212 <P>I will try to rephrase this: Can a user (other than the ISV who has the private signing key) obtain a remote attestation&nbsp;<SPAN style="font-size: 1em;">from (or with the help of) the ISV but without the ISV being able to tamper with this attestation?</SPAN></P> <P>&nbsp;</P> Thu, 08 Jun 2017 16:24:33 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106807#M1212 David_B_1 2017-06-08T16:24:33Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106808#M1213 <P>Hi, David.</P> <P>This is absolutely possible. The private signing key is not needed in the process of producing a quote once the enclave application is already running. The quote is signed with the EPID key, and not with the private signing key.</P> <P>Best regards,<BR /> Rodolfo</P> Fri, 16 Jun 2017 19:02:16 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106808#M1213 Rodolfo_S_ 2017-06-16T19:02:16Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106809#M1214 <P>Thanks Rodolfo, this was very helpful!</P> Mon, 19 Jun 2017 09:12:35 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106809#M1214 David_B_1 2017-06-19T09:12:35Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106810#M1215 <P>About this issue,I still have a question.</P> <P>EPID (key) seems to prove the ISV identity。but how to prove the code run in the enclave is the one expected , by comparing the "<SPAN style="color: rgb(96, 96, 96); font-size: 13.008px;">MRENCLAVE" measurement value&nbsp;</SPAN>?&nbsp;</P> Thu, 27 Jul 2017 10:07:15 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/Provide-remote-attestation-to-external-user/m-p/1106810#M1215 yu_b_1 2017-07-27T10:07:15Z