Microsoft’s emphasis on driving attestation standards and fostering trust in Azure Attestation

Microsoft Azure Attestation empowers Azure confidential computing (ACC) customers to ensure security and integrity of their sensitive workloads, providing them with unparalleled protection and peace of mind. We firmly believe that giving customers the ability to establish outright trust with our services is a vital aspect of providing security assurances. Further, customers are also seeking a seamless and interoperable experience for attesting trusted execution environments (TEEs) across clouds. To offer this experience, attestation standardization is crucial.  

Therefore, advancing attestation standards and ensuring customers’ trust are paramount to Microsoft. In this article, we will discuss our progress and future plans for achieving these objectives.

Microsoft’s efforts to promote attestation standardization

Standardization in the attestation space would greatly facilitate flexibility for customers, as they would be able to switch between different attestation solutions to suit their specific needs. Standardizing attestation result format is important for facilitating interoperability, and we are currently placing a high priority on this initiative. In pursuit of this goal, Microsoft is actively contributing to discussions in the IETF Remote Attestation procedureS (RATS) and Trusted Execution Environment Provisioning (TEEP) working groups. Microsoft holds position as a document editor for the RATS architecture, TEEP architecture, HTTP transport for TEEP and TEEP protocol specifications. Microsoft is also co-chairing the Attestation SIG in Confidential Computing Consortium (CCC), to promote contributions to open-sourced attestation solutions and achieve interoperability.

In addition to promoting attestation standards, we are also committed to incorporating standards within Azure Attestation. Attestation token generated by Azure Attestation adheres to the IETF Entity Attestation Token (EAT) format. The token includes claims defined in the IETF EAT draft and JWT specifications. To stay current with evolving standards, we will continuously monitor and aim to implement any new standardized claims within the attestation token.

We welcome the opportunity to collaborate on the unification of EAT aligned attestation token formats with any current or future attestation solutions. If you are interested, please initiate a request for collaboration here

Establishing trust in Azure Attestation

Azure Attestation protects customers’ data in-use by running its critical operations inside an Intel® Software Guard Extensions (Intel® SGX) enclave. Critical operations of the service like quote validation, token generation, policy evaluation and token signing are performed in an enclave to ensure that Microsoft cannot interfere in the attestation process. Therefore, establishing trust with the service includes steps to validate its implementation within an enclave. Today, Azure Attestation customers are enabled to perform the steps outlined below:

1. Verify integrity of the attestation token generated by the service
2. Confirm SGX implementation of the service
3. Validate binding of the attestation token with SGX implementation of the service
4. Confirm if the attestation token originates from the legitimate Azure Attestation, based on the service code measurements

To learn more and refer code samples, see Azure Attestation documentation. If you require additional measures to ensure trust in our service, please submit a support ticket here.

Future roadmap

Our ultimate goal is to empower Azure customers with unconditional real-time trust in confidential computing services like Azure Attestation. We will strive to offer new options to cater to your transparency requirements and publish blogs to boost trust in Azure Attestation. To reach a definitive outcome in regard to attestation standards, we are committed to continuously making valuable contributions to the attestation industry.