I'm insanely bullish on confidential compute and nostr:nprofile1qyjhwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0dakku62ltamx2mn5w4ex2ucpxpmhxue69uhkjarrdpuj6em0d3jx2mnjdajz6en4wf3k7mn5dphhq6rpva6hxtnnvdshyctz9e5k6tcqyp7u8zl8y8yfa87nstgj2405t2shal4rez0fzvxgrseq7k60gsrx6zeuh5t / nostr:nprofile1qyshwumn8ghj7en9v4j8xtnwdaehgu3wvfskuep0w3uhqetnvdexjur5qyfhwumn8ghj7ur4wfcxcetsv9njuetn9uqzphchxfm3ste32hfhkvczzxapme9gz5qvqtget6tylyd7wa8vjecgaq9enl
AI will provide a tremendous amount of value for the world. But it will also allow for mind manipulation on steroids that makes what happened with web 2.0 cos like Facebook look tame. But there's now an alternative to the closed source mega models and hosting - OpenSecret / MapleAI effectively offer developers a publicly accessible (and open source) version of Apple's encrypted inference cloud: https://security.apple.com/blog/private-cloud-compute/
Thank god for cryptography, the work of people like Anthony / nostr:nprofile1qydhwumn8ghj7mnjv4kxz7fwvvkhxar9d3kxzu3wdejhgtcprpmhxue69uhhqun9d45h2mfwwpexjmtpdshxuet5qqsgafy9ye4j9p2x8vfmlq6equtpcg4m8ks7v545g0d3f7wwueeq5scz9g5a6, and organizations like Apple
I am sceptical, my bullshit detector beeps.
Secure enclaves are useful in local devices what anyone can audit. Even proprietary iPhones are audited by the great independent hackers what love to get a proof Apple lied.
But how you can be sure that AWS instance actually run some hardware what can guarantee something? How you know you are not talking with emulation of that crypto element? How independent hacker can do his research without operator knowing?
AWS is probably not the best way to run it. How can you know is when it's attestation by Intel/AMD secure element. At that point, the key is signed by Intel/AMD. And they have no idea what and where is running, it's the processor signing. How can you be sure you are not talking to emulation? As long as you can't extract the key from the chip, or convince Intel to sign bogus key, you're fine. It's not 100% foolproof, but for a Cashu wallet, it's enough.
I would also like to see mints running like this, that would be even better.
And yes, there are cloud providers that give you CPU attestation, even Amazon, although not through AWS Nitro enclaves:
If you want the hardware (CPU-vendor) to be the root of trust (instead of a cloud-proprietary PKI like AWS Nitro), look for offerings built on Intel SGX/TDX or AMD SEV-SNP. Those produce attestation evidence signed by the CPU vendor’s silicon/firmware keys.
Microsoft Azure — Intel SGX VMs (DCsv series).* SGX quotes are validated against Intel’s root (IAS/DCAP). Microsoft’s Azure Attestation can broker verification, but it explicitly checks that the quote’s trusted root “belongs to Intel.”
Google Cloud — Confidential VMs (AMD SEV-SNP / Intel TDX). You can request an attestation report directly from the AMD Secure Processor (for SNP) or TDX module and verify it against the vendor chain (AMD ARK/ASK or Intel).
AWS — EC2 instances with AMD SEV-SNP. Separate from Nitro Enclaves, EC2 SNP instances expose the AMD-signed attestation report and cert chain (ARK/ASK/VCEK) for you to verify.
Oracle Cloud (OCI) — Confidential Compute (AMD SEV/SEV-SNP). OCI’s confidential VMs run on AMD EPYC; attestation follows the AMD SNP model, i.e., hardware report verifiable against AMD’s KDS certs.
IBM Cloud — Hyper Protect Virtual Servers (IBM Z Secure Execution). Attestation is rooted in IBM’s CPU/platform (vendor hardware trust), not a third-party cloud PKI.
Smaller VPS/bare-metal providers with AMD SEV-SNP also exist; they expose the AMD report so you verify against AMD’s ARK/ASK (example walkthrough shows fetching those from AMD’s KDS).
Rule of thumb: If the service is SGX/TDX or SEV-SNP based, the attestation evidence chains to Intel or AMD. If it’s a proprietary enclave layer (e.g., AWS Nitro Enclaves), attestation chains to the cloud provider’s PKI.
