Questions About Repository Stability and Future Updates

[dailinsubjam]

Hi,
Thank you for creating and sharing this great repository for verifying Nitro enclave attestations! I’ve been exploring the code, and it’s very impressive. However, I have a few questions I’d like to clarify before using it in a real deployment, as I noticed recent commits include some refactors and reintroduced tests:

1. Has the code been audited for security?
2. Do you anticipate any major refactors or updates in the future?
3. Which parts of the codebase do you consider stable and safe for production use?

I understand that open-source maintenance can be challenging, and I truly appreciate your efforts. Any guidance you can provide would be incredibly helpful!

Thanks in advance, and looking forward to hearing from you.

[Sneh1999]

@prateekreddy @mdehoog If you could answer this, it would be really helpful for us. Thank you!

[prateekreddy]

Hi @dailinsubjam,

Thank you for your kind words and for your interest in the repository!

To address your questions:

1. Code Audit: The code hasn’t undergone a formal security audit yet.
2. Updates and Refactors: We are currently updating the P384 library with ECDSA384 and have plans to add certificate extension verification.
3. Stability for Production: The repository includes tests, but since the code hasn’t been formally audited, we recommend conducting your own assessments before deploying it in production. Additionally, we’ve implemented a ZK-based attestation verifier here if that interests you.

Please feel free to reach out with any further questions or feedback!

[dailinsubjam]

@prateekreddy Thank you for the detailed response! We'll reach out if we have further questions.