| ▲ | louwrentius 5 days ago | |||||||
I don't believe in the validity of the idea of 'confidential computing' on a fundamental level. Yes, there are degrees of risk and you can pretend that the risks of third-parties running hardware for you are so reduced / mitigated due to 'confidential computing' it's 'secure enough'. I understand things can be a trade-off. Yet I still feel 'confidential computing' is an elaborate justification that decision makers can point to, to keep the status quo and even do more things in the cloud. | ||||||||
| ▲ | mnahkies 4 days ago | parent [-] | |||||||
I'm a relative layman in this area, but from my understanding, fundamentally there has to be some trust somewhere, and I think confidential computing aims to provide a way to both distribute that trust (split the responsibility between the hardware manufacturer and cloud provider, though I'm aware already sounds like a losing prop if cloud providers are also the hardware manufacturer) and provide a way to verify it's intact. Ultimately it's harder to get multiple independent parties to collude than a single entity, and for many threat models that's enough. Whether today's solutions are particularly good at delivering this, I don't know (slides linked in another comment suggest not so good), but I'm glad people are dedicating effort to trying to figure it out | ||||||||
| ||||||||