Tobin Feldman-Fitzthum
Tobin Feldman-Fitzthum
Ok, I finally read @Xynnn007's response above and I have looked through the spec. I think we can integrate EAR, but there is one potential problem. First, the good news....
Ok, I've actually started to work on this. PR should be ready in a few days.
It seems like one of the main concrete suggestions here is to update the RVPS to allow reference values to be grouped in terms of the so-called Target Environment. This...
Maybe we should try to come up with examples of exactly what the end-to-end flow would look like. Ultimately the goal is that users should be able to provision the...
I think the default attestation policy is the same https://github.com/confidential-containers/kbs/blob/main/attestation-service/attestation-service/src/policy_engine/opa/default_policy.rego We recently changed the default resource policy.
@Xynnn007 and @jialez0 and maybe @anakrish I am thinking about replacing our Go OPA stuff with [Regorus](https://github.com/microsoft/regorus). I have a couple of questions. First, Regorus doesn't support all of OPA....
Btw I should have a PR for switching to Regorus ready in the next few days.
I think these issues have been resolved with our switch to regorus and some parsing tweaks.
> Doesn't CDH always need to retrieve secrets from a (resource) KBS, in both passport and bgcheck scenarios? Otherwise the KMS would need to be enlightened to understand AS/KBS tokens....
Many permutations of the KBS/AS are possible. It's a bit of a challenge to outline them all, so I agree that we should pick a couple that we can document...