Remote Attestation

Responses like /address include an SGX attestation quote and an enclave-produced signature.

Verify

1. Validate the quote using Intel® SGX DCAP tooling/services.

2. Check enclave identity (expected MRENCLAVE/MRSIGNER) and TCB status.

3. Verify the enclave public key and the signature bound to the canonical result payload.

Operational guidance

• Publish expected identity values and rotate on enclave upgrades.

• Reject stale quotes; enforce grace periods/CRLs.

• Canonicalize payload (UTF8(JSON.stringify(result))) before verifying signatures.

Intel DCAP docs provide the attestation model and collateral details. See Intel’s DCAP orientation docs.