Skip to content

Attesting Remote Services and Applications

Problem Description

Consider that you operate a confidential service S or an application A consisting of a set of multiple services. In both cases, clients connect to a service S via TLS.

Each client wants to ensure that S (and all services used by S) runs inside of an enclave, runs the expected code, and it was properly configured. A client C is running at a remote site, i.e., not in the same cluster as S.

How can C attest that S is properly set up?

Approach

Service Deployment

The provide of S / A performs the following steps:

  • Create a policy P_S for service S and all services of application A
  • service S will use Ce and its private key for TLS (see secret injection files)

Client (Runtime)

Each client C

  • when connecting to S via TLS, C only accepts CA as valid certificate authority for the TLS certificate provided by S (by limiting the root certificates to CA or by defining name constraints for the root certificates)
    • since the policy of S ensures that only a correctly configured service, executing inside of an enclave, can get access to a certificate Ce issued by CA,
    • being able to establish a TLS connection to S means, that S satisfies all constraints of its security policy P_S.

Client (Development/Deployment)

When client C is built or, alternatively, during deployment time, one: