Identity, Identity Expectation, and Assertion

Assertion

A cryptographically-verifiable statement of an identity.

Field Type Description
description AssertionDescription

Describes the presented assertion. description.identity_type is the type of enclave identity that is asserted. description.authority_type is the type of assertion authority that is capable of verifying the assertion.

assertion bytes

Bytes containing the assertion. The interpretation of these bytes is up to the assertion-verification authority that verifies assertions matching description.

AssertionDescription

Describes an assertion that is requested, offered, or presented.

Field Type Description
identity_type EnclaveIdentityType

The type of enclave identity that is asserted by this assertion.

authority_type string

The combination of authority_type and identity_type uniquely identifies the assertion authority that operates on this assertion. An assertion authority is responsible for generating, verifying, requesting, or offering assertions that originate from a particular enclave architecture or technology and that assert a particular type of enclave identity.

authority_type is defined as a string for extensibility purposes and to allow the range of possible assertion types to be diversified. authority_type typically identifies the underlying enclave architecture or a third party authority, like a certification authority, but may also identify some additional feature of the authority. It is possible to define multiple assertion authorities for the same enclave technology and enclave identity type if these authorities differ in terms of some additional behavior.

authority_type cannot contain the ‘#’ character. Additionally, the authority type “Any” is reserved for assertions that are not associated with any particular authority (e.g. the null assertion).

AssertionOffer

Describes an assertion that is offered by an entity.

An AssertionOffer may optionally include any additional information that is needed by the receiving party to process such an offer.

Field Type Description
description AssertionDescription

Describes the offered assertion. description.identity_type is the type of enclave identity that is asserted in the offered assertion. description.authority_type is the type of assertion authority capable of verifying the assertion.

additional_information bytes

Additional information that is associated with an assertion that asserts description.identity_type and that is verified by the authority description.authority_type The interpretation of these bytes is up to the assertion-verification authority that processes assertions matching description.

For example, this may contain any information that is needed by the receiving party to do any of the following:

  • Determine whether an assertion of this type can be verified
  • Verify an assertion of this type

AssertionRequest

Describes an assertion that is requested by an entity.

An AssertionRequest may optionally include any additional information that is needed by the receiving party to handle such a request.

Field Type Description
description AssertionDescription

Describes the requested assertion. description.identity_type is the type of enclave identity asserted in the requested assertion. description.authority_type is the type of assertion authority capable of generating the assertion.

additional_information bytes

Additional information that is associated with an assertion that asserts description.identity_type and that is verified by the authority description.authority_type. The interpretation of these bytes is up to the assertion-generation authority that processes assertions matching the description.

For example, this may contain any information that is needed by the receiving party to do any of the following:

  • Determine whether an assertion of this type is appropriate to generate
  • Generate an assertion of this type

EnclaveIdentities

A collection of enclave identities held by an entity.

Field Type Description
identities EnclaveIdentity[]

EnclaveIdentity

An identity that is held by an enclave entity or an entity communicating with an enclave entity.

An EnclaveIdentity can be extracted from an Assertion.

Field Type Description
description EnclaveIdentityDescription

Describes the identity contained in identity.

identity bytes

Bytes containing the identity. The interpretation of these bytes is up to the authorization authority that handles identities matching description.

EnclaveIdentityDescription

Describes an enclave identity that is held by an entity.

Field Type Description
identity_type EnclaveIdentityType

The type of enclave identity.

authority_type string

The combination of authority_type and identity_type uniquely identifies the authorization authority that handles the described identity (i.e. an authority that authorizes operations for entities possessing the described identity).

EnclaveIdentityExpectation

Expectation about the identity held by an enclave entity or an entity communicating with an enclave.

An EnclaveIdentityExpectation can be matched against an EnclaveIdentity by an authorization authority of compatible type.

Field Type Description
reference_identity EnclaveIdentity

A reference identity against which a target identity is matched. reference_identity, when combined with match_spec, specifies the expected enclave identity that is authorized for a particular purpose (e.g., having access to a sealed secret, or being able to make a particular RPC).

match_spec bytes

Bytes describing how the reference_identity should be matched against the target identity. The interpretation of these bytes is specific to the authorization authority.

EnclaveIdentityType

A categorization class of identity.

Name Description
UNKNOWN_IDENTITY
NULL_IDENTITY

An identity used by entities without cryptographic credentials.

CODE_IDENTITY

A cryptographically-verifiable identity that can specify the code being run by an entity, the environment in which the code is run, and other parameters that may affect code execution.

CERT_IDENTITY

An identity used by entities that possess credentials issued by a certificate authority.