Identity, Identity Expectation, and Assertion

This package defines the core building blocks of identity, identity expectations, and assertions of identity.

EnclaveIdentityDescription

Describes an enclave identity that is held by an entity.

Field	Type	Description	Required
`identity_type`	`EnclaveIdentityType`	The type of enclave identity.	No
`authority_type`	`string`	The combination of `authority_type` and `identity_type` uniquely identifies the authorization authority that handles the described identity (i.e. an authority that authorizes operations for entities possessing the described identity).	No

EnclaveIdentity

An identity that is held by an enclave entity or an entity communicating with an enclave entity.

An EnclaveIdentity can be extracted from an Assertion.

Field	Type	Description	Required
`description`	`EnclaveIdentityDescription`	Describes the identity contained in `identity`.	No
`identity`	`bytes`	Bytes containing the identity. The interpretation of these bytes is up to the authorization authority that handles identities matching `description`.	No
`version`	`string`	The version of the `EnclaveIdentity`. This field can be used as a means of distinguishing between different `identity` serializations, even when the underlying identity `description` is identical.	No

EnclaveIdentities

A collection of enclave identities held by an entity.

Field	Type	Description	Required
`identities`	`EnclaveIdentity[]`		No

EnclaveIdentityExpectation

Expectation about the identity held by an enclave entity or an entity communicating with an enclave.

An EnclaveIdentityExpectation can be matched against an EnclaveIdentity by an authorization authority of compatible type.

Field	Type	Description	Required
`reference_identity`	`EnclaveIdentity`	A reference identity against which a target identity is matched. `reference_identity`, when combined with `match_spec`, specifies the expected enclave identity that is authorized for a particular purpose (e.g., having access to a sealed secret, or being able to make a particular RPC).	No
`match_spec`	`bytes`	Bytes describing how the `reference_identity` should be matched against the target identity. The interpretation of these bytes is specific to the authorization authority.	No

AssertionDescription

Describes an assertion that is requested, offered, or presented.

Field Type Description Required

Field	Type	Description	Required
`identity_type`	`EnclaveIdentityType`	The type of enclave identity that is asserted by this assertion.	No
`authority_type`	`string`	The combination of `authority_type` and `identity_type` uniquely identifies the assertion authority that operates on this assertion. An assertion authority is responsible for generating, verifying, requesting, or offering assertions that originate from a particular enclave architecture or technology and that assert a particular type of enclave identity. `authority_type` is defined as a string for extensibility purposes and to allow the range of possible assertion types to be diversified. `authority_type` typically identifies the underlying enclave architecture or a third party authority, like a certification authority, but may also identify some additional feature of the authority. It is possible to define multiple assertion authorities for the same enclave technology and enclave identity type if these authorities differ in terms of some additional behavior. `authority_type` cannot contain the ‘#’ character. Additionally, the authority type “Any” is reserved for assertions that are not associated with any particular authority (e.g. the null assertion).	No

identity_type

EnclaveIdentityType

The type of enclave identity that is asserted by this assertion.

authority_type

string

The combination of authority_type and identity_type uniquely identifies the assertion authority that operates on this assertion. An assertion authority is responsible for generating, verifying, requesting, or offering assertions that originate from a particular enclave architecture or technology and that assert a particular type of enclave identity.

authority_type is defined as a string for extensibility purposes and to allow the range of possible assertion types to be diversified. authority_type typically identifies the underlying enclave architecture or a third party authority, like a certification authority, but may also identify some additional feature of the authority. It is possible to define multiple assertion authorities for the same enclave technology and enclave identity type if these authorities differ in terms of some additional behavior.

authority_type cannot contain the ‘#’ character. Additionally, the authority type “Any” is reserved for assertions that are not associated with any particular authority (e.g. the null assertion).

AssertionOffer

Describes an assertion that is offered by an entity.

An AssertionOffer may optionally include any additional information that is needed by the receiving party to process such an offer.

Field Type Description Required

Field	Type	Description	Required
`description`	`AssertionDescription`	Describes the offered assertion. `description.identity_type` is the type of enclave identity that is asserted in the offered assertion. `description.authority_type` is the type of assertion authority capable of verifying the assertion.	No
`additional_information`	`bytes`	Additional information that is associated with an assertion that asserts `description.identity_type` and that is verified by the authority `description.authority_type` The interpretation of these bytes is up to the assertion-verification authority that processes assertions matching `description`. For example, this may contain any information that is needed by the receiving party to do any of the following: Determine whether an assertion of this type can be verified Verify an assertion of this type	No

description

AssertionDescription

Describes the offered assertion. description.identity_type is the type of enclave identity that is asserted in the offered assertion. description.authority_type is the type of assertion authority capable of verifying the assertion.

additional_information

bytes

Additional information that is associated with an assertion that asserts description.identity_type and that is verified by the authority description.authority_type The interpretation of these bytes is up to the assertion-verification authority that processes assertions matching description.

For example, this may contain any information that is needed by the receiving party to do any of the following:

Determine whether an assertion of this type can be verified
Verify an assertion of this type

AssertionRequest

Describes an assertion that is requested by an entity.

An AssertionRequest may optionally include any additional information that is needed by the receiving party to handle such a request.

Field Type Description Required

Field	Type	Description	Required
`description`	`AssertionDescription`	Describes the requested assertion. `description.identity_type` is the type of enclave identity asserted in the requested assertion. `description.authority_type` is the type of assertion authority capable of generating the assertion.	No
`additional_information`	`bytes`	Additional information that is associated with an assertion that asserts `description.identity_type` and that is verified by the authority `description.authority_type`. The interpretation of these bytes is up to the assertion-generation authority that processes assertions matching the `description`. For example, this may contain any information that is needed by the receiving party to do any of the following: Determine whether an assertion of this type is appropriate to generate Generate an assertion of this type	No

description

AssertionDescription

Describes the requested assertion. description.identity_type is the type of enclave identity asserted in the requested assertion. description.authority_type is the type of assertion authority capable of generating the assertion.

additional_information

bytes

Additional information that is associated with an assertion that asserts description.identity_type and that is verified by the authority description.authority_type. The interpretation of these bytes is up to the assertion-generation authority that processes assertions matching the description.

For example, this may contain any information that is needed by the receiving party to do any of the following:

Determine whether an assertion of this type is appropriate to generate
Generate an assertion of this type

Assertion

A cryptographically-verifiable statement of an identity.

Field	Type	Description	Required
`description`	`AssertionDescription`	Describes the presented assertion. `description.identity_type` is the type of enclave identity that is asserted. `description.authority_type` is the type of assertion authority that is capable of verifying the assertion.	No
`assertion`	`bytes`	Bytes containing the assertion. The interpretation of these bytes is up to the assertion-verification authority that verifies assertions matching `description`.	No

EnclaveIdentityType

A categorization class of identity.

Name	Description
`UNKNOWN_IDENTITY`
`NULL_IDENTITY`	An identity used by entities without cryptographic credentials.
`CODE_IDENTITY`	A cryptographically-verifiable identity that can specify the code being run by an entity, the environment in which the code is run, and other parameters that may affect code execution.
`CERT_IDENTITY`	An identity used by entities that possess credentials issued by a certificate authority.