Keylime currently operates on a pull basis which means that the tenant or verifier connect to the agent to collect attestation data. Therefore they need to know the IP and Port to connect to beforehand and this currently cannot change during attestation. This works fine in most virtualized environments where all the devices are in the same network, but not for edge devices or in BYOD contexts. There are workarounds using VPNs/overlay networking using OpenVPN, ZeroTier, Nebula etc. but none of them provide an ideal solution.
- Identity quote: The purpose of the identity quote is to prove to the tenant that the NK (also called transport key) belongs to the same TPM as the agent. The NK is used for encrypting the U and V key during transport and is the also the key of mTLS certificate of the agent. The tenant uses this feature. This is also done to ensure that the agent behind that IP is still the same that registered by val