I'm trying to learn SGx application development, and am now at Remote Attestation. And been learning about it in this article: (https://software.intel.com/en-us/articles/intel-software-guard-extensions-remote-attestation-end-to-...
As I understand, remote attestation is a necessary part for an enclave (in the target/user platform) to become usable, it should be able to attest towards an ISV's Provisioning Server which in turn is connected to Intel's Attestation Server.
Client (with SGx attesting enclave) <-------> ISV Provisioning Server <------> Intel IAS
Is this two-tier approach a mandatory setup?
Is it possible to not have the Provisioning Server in between, and have the client connect/attest directly towards IAS?
Like so: Client (with SGx enclave ) <--------------> IAS
Remote Attestation is *not* mandatory for an enclave to be usable in a customer's/target client machine.
The purpose of Remote Attestation is to prove to someone else (e.g.: service provider (SP)) that the application it is communicating with is running inside an SGX enclave, and further more, that it is running inside the *correct* SGX enclave. Due to this purpose, it only makes sense that the ISV Provisioning Server (SP) itself communicates with IAS, and not the client enclave being attested, so that the SP can verify that the Attestation Evidence was really sent by IAS, and not faked by a possible attacker.