- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I was wondering the following: If I have a processor which only supports ECDSA attestation, like a 3rd gen Xeon scalable processor, can I still use the Intel Attestation Service for quote verification (which I currently use for the EPID attestation)?
The documents I read used phrases like "can/may use your own attestation service", but nothing like "must". On the other hand, the Intel Attestation Service API description (https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf) has 55 occurrences of the word "EPID" but 0 occurrences of the word "ECDSA". I currently have no access to a newer 3rd gen Xeon scalable processor, and thus cannot easily verify it by experimentation (I think). So, I was hoping to get some definite answer from Intel like "You can/cannot use the Intel Attestation Service to verify an ECDSA quote. Using a custom attestation service is optional/obligatory."
(I understand that I am losing some privacy guarantees when using ECDSA quotes.)
Thank you for your time!
Armin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Armin,
In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.
For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.
For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.
The Intel DCAP Product Brief explains how all these pieces fit together.
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Armin,
In a DCAP environment, the Intel Attestation Services (IAS) does not verify the enclave. IAS is used to verify enclaves only for EPID-based attestation.
For ECDSA attestation, the service provider must build their own attestation service using the DCAP primitives. The service provider/relying party verifies the SGX platform using the DCAP Quote Verification Library.
For DCAP, the Intel Provisioning Certification Service provides PCK certificates, TCB info, revocation lists, and quoting enclave identity to the service provider so that the service provider can perform the attestation.
The Intel DCAP Product Brief explains how all these pieces fit together.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this provides all the information I needed. Have a nice day!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page