- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I recently started learning SGX technology and if I understand correctly, SGX supports EPID-based remote authentication. I wonder whether SGX supports certificate-based authentication, such as the X509 specification of the PKI standard.
Because I want SGX to attest ARM TrustZone, if SGX supports certificate-based authentication, then I think it is possible to implement remote authentication between SGX and ARM TrustZone.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Clinale,
Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.
The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.
Sincerely,
Jesus G.
Intel Customer Support
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Clinale,
The Intel Attestation Service (IAS), or remote attestation service, attests clients that run Intel SGX and cannot be used to attest clients that run ARM TrustZone. The remote attestastion service does not run SGX. Servers and other clients that run SGX use the IAS to prove to service providers that the SGX enclave's:
- Its identity
- That it has not been tampered with
- That it is running on a genuine platform with Intel SGX enabled
- That it is running at the latest security level, also referred to as the Trusted Computing Base (TCB) level
I highly recommend you read the Remote Attestation End-to-End Example for more details.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi JesusG_Intel,
Thanks for your information, and I browsed the web link you posted.
I noticed a sentence mentioning that SGX supports certificate-based attestation.
I wonder what certificate-based authentication means. Does it mean that SGX support authenticate-based authentication, like PKI X509? If it does, will SGX always support certificate-based authentication?
Thanks for your reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Clinale,
Intel no longer on-boards new customers using the old cert-based authentication. It’s only there for legacy IAS customers and will soon be EOL’d.
The old, cert-based authentication was simply a mutual TLS authentication mechanism. The customer had to purchase an x.509 client cert from a publicly recognized cert authority (ie. Thawte, DigiCert, etc) just like you would for a secure web site. Intel would use that cert to authenticate them when they connected to IAS.
Sincerely,
Jesus G.
Intel Customer Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This thread has been marked as answered and Intel will no longer monitor this thread. If you want a response from Intel in a follow-up question, please open a new thread.

- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page