<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Hi, Mashiro. in Intel® Software Guard Extensions (Intel® SGX)</title>
    <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGx-Client-to-IAS/m-p/1084674#M668</link>
    <description>&lt;P&gt;Hi, Mashiro.&lt;/P&gt;

&lt;P&gt;Remote Attestation is *not* mandatory&amp;nbsp;&lt;SPAN style="font-size: 12px;"&gt;for an enclave to be usable in a customer's/target client machine.&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the&amp;nbsp;&amp;nbsp;ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;Cheers,&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;Rodolfo&lt;/SPAN&gt;&lt;/P&gt;</description>
    <pubDate>Mon, 14 Nov 2016 16:09:49 GMT</pubDate>
    <dc:creator>Rodolfo_S_</dc:creator>
    <dc:date>2016-11-14T16:09:49Z</dc:date>
    <item>
      <title>SGx Client to IAS</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGx-Client-to-IAS/m-p/1084673#M667</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I am trying to learn SGx and am now at understanding Remote Attestation.&lt;/P&gt;

&lt;P&gt;Been reading this article and the other references in it:&amp;nbsp;https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-end-example&lt;/P&gt;

&lt;P&gt;&amp;nbsp;&lt;/P&gt;

&lt;P&gt;As I understand, remote attestation is mandatory for an enclave to be usable in a customer's/target client machine. This client machine is connected towards the ISV's Provisioning Server which is then connected towards Intel's IAS... like so:&lt;/P&gt;

&lt;P&gt;Client (with attesting SGx enclave) &amp;nbsp;&amp;lt;--------------------&amp;gt; ISV Provisioning Server &amp;lt;-------------------------&amp;gt; Intel IAS&lt;/P&gt;

&lt;P&gt;&amp;nbsp;&lt;/P&gt;

&lt;P&gt;Is this two-tier setup mandatory?&lt;/P&gt;

&lt;P&gt;Will it be possible to just have the Client attest directly towards Intel IAS like so? &amp;nbsp;Client (with SGx) &amp;lt;---------------------------&amp;gt; Intel IAS&lt;/P&gt;

&lt;P&gt;&amp;nbsp;&lt;/P&gt;

&lt;P&gt;Please correct me if there is something wrong in my understanding.&lt;/P&gt;

&lt;P&gt;Thanks.&lt;/P&gt;

&lt;P&gt;&amp;nbsp;&lt;/P&gt;

&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Sun, 13 Nov 2016 18:54:51 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGx-Client-to-IAS/m-p/1084673#M667</guid>
      <dc:creator>Mashiro_M_1</dc:creator>
      <dc:date>2016-11-13T18:54:51Z</dc:date>
    </item>
    <item>
      <title>Hi, Mashiro.</title>
      <link>https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGx-Client-to-IAS/m-p/1084674#M668</link>
      <description>&lt;P&gt;Hi, Mashiro.&lt;/P&gt;

&lt;P&gt;Remote Attestation is *not* mandatory&amp;nbsp;&lt;SPAN style="font-size: 12px;"&gt;for an enclave to be usable in a customer's/target client machine.&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the&amp;nbsp;&amp;nbsp;ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;Cheers,&lt;/SPAN&gt;&lt;/P&gt;

&lt;P&gt;&lt;SPAN style="font-size: 12px;"&gt;Rodolfo&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 14 Nov 2016 16:09:49 GMT</pubDate>
      <guid>https://community.intel.com/t5/Intel-Software-Guard-Extensions/SGx-Client-to-IAS/m-p/1084674#M668</guid>
      <dc:creator>Rodolfo_S_</dc:creator>
      <dc:date>2016-11-14T16:09:49Z</dc:date>
    </item>
  </channel>
</rss>

