Skip to content

Serve noise.ita_token so clients verify without an Intel account#267

Merged
posix4e merged 1 commit into
mainfrom
feature/agent-noise-ita-token
May 30, 2026
Merged

Serve noise.ita_token so clients verify without an Intel account#267
posix4e merged 1 commit into
mainfrom
feature/agent-noise-ita-token

Conversation

@posix4e
Copy link
Copy Markdown
Member

@posix4e posix4e commented May 29, 2026

What

The agent already mints an ITA token for CP registration (over a freshness nonce). Clients connecting directly over Noise had to mint their own appraisal of the agent's separate Noise quote — which required every client to hold an Intel Trust Authority API key. But minting needs a key; verifying only needs Intel's public JWKS.

This mints a second token over the Noise quote (the one binding the Noise pubkey into report_data) and serves it on /health as noise.ita_token, refreshed alongside the registration token.

Why

Lets dd-client (and any client) verify the agent's attestation against the public JWKS — no API key, no Intel account — instead of minting. The account-bearing step stays on the agent, which is already provisioned for it. Full independent attestation is preserved.

Safety

Additive — quote_b64/pubkey_hex stay for older / --insecure-skip clients. Safe to merge & deploy; unlocks the keyless client path. Pairs with devopsdefender/dd-client feature/structured-client.

🤖 Generated with Claude Code

@posix4e @claude
Serve noise.ita_token so clients verify attestation without minting
69ae5a8 
The agent already mints an Intel Trust Authority token for CP registration
(over a freshness nonce). Clients connecting directly over Noise had to mint
their own appraisal of the agent's separate Noise quote, which required every
client to hold an ITA API key (an Intel account) — minting needs a key, but
verifying a token only needs Intel's public JWKS.

Mint a second token over the Noise quote (the one binding the Noise pubkey into
report_data) and serve it on /health as noise.ita_token, refreshed alongside the
registration token. Clients now verify this token against the public JWKS — no
account — and check the report_data binding, instead of minting. Additive: the
existing quote_b64/pubkey_hex fields stay for older/insecure-skip clients.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@posix4e posix4e mentioned this pull request May 29, 2026
Merged
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 29, 2026

DD preview ready

URL: https://pr-267.devopsdefender.com

Browser login: visit https://pr-267.devopsdefender.com — DD redirects you to
the GitHub App auth broker. A DD session cookie scoped
to .devopsdefender.com lets the preview, fleet, and
shell hosts share the same login.

Machine-to-machine: GitHub Actions workflows in the
DD_OWNER org pass their per-job OIDC JWT as
Authorization: Bearer … (audience dd-agent).

Register endpoint for a local agent: https://pr-267.devopsdefender.com/register
(authenticated by ITA attestation).

@posix4e posix4e merged commit 4100a12 into main May 30, 2026
3 checks passed
@posix4e posix4e deleted the feature/agent-noise-ita-token branch May 30, 2026 13:46
posix4e added a commit that referenced this pull request May 30, 2026
@posix4e
Merge pull request #270 from devopsdefender/revert/back-to-may10
c152a9e 
Revert to May-10 working state (back out #267, #269, #268)
posix4e added a commit that referenced this pull request May 30, 2026
@posix4e
Merge pull request #272 from devopsdefender/reland/features-no-stonith
04bf6ca 
Re-land #267 + #269 + #268 (now that STONITH is gone)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@posix4e