Merge pull request #219835 from mssindhurid/main

prmerger-automator[bot] · web-flow · commit eeaa402cbadc · 2022-11-29T22:51:28.000Z
guidance on MAA mrsigner
diff --git a/articles/attestation/overview.md b/articles/attestation/overview.md
@@ -75,6 +75,22 @@ Azure Attestation is the preferred choice for attesting TEEs as it offers the fo
 - Protects its data while-in use with implementation in an SGX enclave
 - Highly available service 
 
+## How to establish trust with Azure Attestation
+
+1.	**Verify if attestation token is generated by Azure Attestation** - Attestation token generated by Azure Attestation is signed using a self-signed certificate. The signing certificates URL is exposed via an [OpenID metadata endpoint](/rest/api/attestation/metadata-configuration/get?tabs=HTTP#get-openid-metadata). Relying party can retrieve the signing certificate and perform signature verification of the attestation token.  See [code samples](https://github.com/Azure-Samples/microsoft-azure-attestation/blob/master/sgx.attest.sample.oe.sdk/validatequotes.net/Helpers/JwtValidationHelper.cs#L21-L22) for more information
+ 
+2.	**Verify if Azure Attestation is running inside an SGX enclave** - The token signing certificates include SGX quote of the TEE inside which Azure Attestation runs. If relying party prefers to check if Azure Attestation is running inside a valid SGX enclave, the SGX quote can be retrieved from the signing certificate and locally validated. See [code samples](https://github.com/Azure-Samples/microsoft-azure-attestation/blob/e7f296ee2ca1dd93b75acdc6bab0cc9a6a20c17c/sgx.attest.sample.oe.sdk/validatequotes.net/MaaQuoteValidator.cs#L62-L65)  for more information
+               
+3.	**Validate binding of Azure Attestation SGX quote with the key that signed the attestation token** – Relying party can verify if hash of the public key that signed the attestation token matches the report data field of the Azure Attestation SGX quote. See [code samples](https://github.com/Azure-Samples/microsoft-azure-attestation/blob/e7f296ee2ca1dd93b75acdc6bab0cc9a6a20c17c/sgx.attest.sample.oe.sdk/validatequotes.net/MaaQuoteValidator.cs#L78-L105)  for more information
+
+4.	**Validate if Azure Attestation code measurements match the Azure published values** -  The SGX quote embedded in attestation token signing certificates includes code measurements of Azure Attestation, like mrsigner. If relying party is interested to validate if the SGX quote belongs to Azure Attestation running inside Azure, mrsigner value can be retrieved from the SGX quote in attestation token signing certificate and compared with the value provided by Azure Attestation team. If you are interested to perform this validation, please submit a request on [Azure support](/support/) page. Azure Attestation team will reach out to you when Mrsigner is planned for rotation. 
+
+Mrsigner of Azure Attestation is expected to change when code signing certificates are rotated. Azure Attestation team will follow the below rollout schedule for every mrsigner rotation:
+I.	Azure Attestation team will notify the upcoming MRSIGNER value with a 2 month grace period for making relevant code changes
+II.	After the 2-month grace period, Azure Attestation will start using the new MRSIGNER value
+III.	3 months post notification date, Azure Attestation will stop using the old MRSIGNER value
+
+
 ## Business Continuity and Disaster Recovery (BCDR) support
 
 [Business Continuity and Disaster Recovery](../availability-zones/cross-region-replication-azure.md) (BCDR) for Azure Attestation enables to mitigate service disruptions resulting from significant availability issues or disaster events in a region.
