Skip to content

CAS Namespaces

A CAS instance can be shared by multiple users. Since policy names must be unique per CAS instance, there might be conflicts when creating sessions in the sense that another user has already created a session with that name. The standard name to address such name collisions is to introduce namespaces.

Namespace Convention

We are working on extending CAS will provide namespaces, i.e., a scope for session names. When one has created a namespace, one controls which session names can be created in this namespace.

Until the support is in place, we suggest a simple cooperative approach for namespaces. The prefix of a name until the first ~ is the namespace. We create a name space $NS by creating a session with name $NS.


We use the creation of namespaces to introduce some basic concepts: We show how to attest CAS and how to create a session with the help of the SCONE CLI.

Attesting CAS

To attest CAS, we need to know the expected MRENCLAVE of the CAS. One way to determine is to download the CAS image and determine MRENCLAVE (by setting SCONE_HASH=1). One might not always have access to the image and how can one check that the image was not modified.

We use here an alternative way to determine MRENCLAVE of CAS and other images. We maintain a signed list of MrEnclaves on One can download the list, check the signature and if the signature is ok, use the MRENCLAVE of the image we want to use.

Creating a session

We need a session description first. The session could look like this

name: $NS


We can upload this session with the command

scone session create policy.yml

Setting up the container to create a namespace

export CLI_IMAGE="sconecuratedimages/sconecli"
determine_sgx_device # see
docker run $SGXDEVICE -it --rm $CLI_IMAGE bash
apk add --no-cache git openssl gnupg curl # add some missing packages

In the CLI image, we first clone

git clone
export SCONE_CAS_ADDR=""
export NS="MyNamespace"

cd create_namespace
./create_namespace --debug --namespace=$NS --cas=$SCONE_CAS_ADDR