zlacker

[parent] [thread] 2 comments
1. jivetu+(OP)[view] [source] 2021-04-07 15:48:32
> It’s client apps who verify (via attestation) that the code inside an SGX enclave is what they expect it to be, and clients are open source.

If the attestation signature matches the published enclave code, then we can know if there's a match. So either there's a missing mitigation, which no one ever has complained about, or the running enclave code doesn't match the source, which also no one ever has complained about. Without independent audit, there is no verification and we have established that independent parties do not care.

> Only private contact discovery depends on trusting SGX.

uh, no. this is demonstrably and obviously wrong.

replies(2): >>feanar+W3 >>tylers+D8
2. feanar+W3[view] [source] 2021-04-07 16:04:26
>>jivetu+(OP)
> uh, no. this is demonstrably and obviously wrong.

Yes? How?

3. tylers+D8[view] [source] 2021-04-07 16:25:03
>>jivetu+(OP)
Then please demonstrate.
[go to top]