On Mon, Nov 19, 2018 at 08:59:24AM -0800, Andy Lutomirski wrote: > The idea here is that, under normal circumstances, provisioning only > runs once, or at least only runs rarely. So, rather than the SDK > running provisioning whenever it feels like doing so (which is the > current behavior, I imagine, although I haven't looked), there would > be a privileged program, perhaps a systemd unit that runs when needed, > that produces the key material needed for remote attestation, and > non-root users that need attestation would get the keying material > from the provisioning service. And the provisioning service could > implement its own policy. Ideally, the service wouldn't give the > sealed keys to users at all but would, instead, just provide the > entire attestation service over a UNIX socket, which would make > provisioning capabilities revocable. > > Does this make sense? Yes, it does for me at least now that you brought some context. /Jarkko
