Remote Attestation Based on Intel® EPID

This technology enables a relying party to attest an enclave without knowing the specific Intel® processor that the enclave is executing on. Using this technology requires a platform and for the relying party to have internet access. For more information, see Intel EPID Security Technology.

The online attestation service is created and managed by Intel to:

  • Minimize the complexity of handling multiple security versions for a platform with an Intel SGX trusted computing base (TCB)
  • Provide privacy properties

Attestation Based on Intel® SGX DCAP

ECDSA-based attestation allows providers to build and deliver their own attestation service instead of using the remote attestation service provided by Intel. This is useful for enterprise, data center, and cloud service providers who need to address any of the following requirements:

  • Run large parts of their networks in environments where internet-based services cannot be reached
  • Keep attestation decisions in-house
  • Deliver applications that work in a very distributed fashion (for example, peer-to-peer networks) that benefit from not relying on a single point of verification
  • Prevent platform anonymity where it is not permitted

Intel SGX DCAP requires more provider-managed infrastructure than the attestation solution based on Intel EPID, and helps providers create this infrastructure. For more information, see Figure 2.