Community
cancel
Showing results for 
Search instead for 
Did you mean: 
David_B_1
Beginner
99 Views

Provide remote attestation to external user

Hello,

In case external users (other than the enclave developer who has signed the enclave with his private key)  need to share data with the application enclave, is it possible for these users to get a certified measurement  of the application enclave (e.g. from the quoting enclave) without the enclave developer being able to tamper with this measurement?

In other words, can the enclave developer prove to an external user that it is safe the share his data with the enclave?

Thanks, David

0 Kudos
6 Replies
AArya2
New Contributor I
99 Views

David_B_1
Beginner
99 Views

Thanks Arya,

However, I don't think it answers my question. What I would like to know is if it is possible for an enclave to provide (with ISV's agreement) a remote attestation to an external user that is not the ISV (i.e. not the enclave developper who signed the enclave).

 

Maybe something like the figure below:

IAS_ExtUsr.png

David_B_1
Beginner
99 Views

I will try to rephrase this: Can a user (other than the ISV who has the private signing key) obtain a remote attestation from (or with the help of) the ISV but without the ISV being able to tamper with this attestation?

 

Rodolfo_S_
New Contributor III
99 Views

Hi, David.

This is absolutely possible. The private signing key is not needed in the process of producing a quote once the enclave application is already running. The quote is signed with the EPID key, and not with the private signing key.

Best regards,
Rodolfo

David_B_1
Beginner
99 Views

Thanks Rodolfo, this was very helpful!

yu_b_1
Beginner
99 Views

About this issue,I still have a question.

EPID (key) seems to prove the ISV identity。but how to prove the code run in the enclave is the one expected , by comparing the "MRENCLAVE" measurement value 

Reply