Strengthen TLS verification beyond browser defaults for DevProof applications.
Browsers trust TLS certificates based on CA signatures alone. For DevProof applications, this isn't enough:
- A CA could be compromised or coerced
- A certificate could be revoked but still accepted (delayed CRL propagation)
- A misissued certificate might not appear in CT logs
TEE oracles fetching external data need stronger guarantees.
The phala-cloud-oracle-template is a production-ready oracle that implements these hardening techniques. It builds on the concepts from this tutorial:
| This tutorial | Oracle template adds |
|---|---|
| 01-attestation | ✓ Same TDX quote binding |
| 02-kms-and-signing | ✓ Same signature chain |
| 03-gateway-and-tls | ✓ Same TLS basics |
| 04-onchain-oracle | ✓ Same on-chain verification |
| HTTPS hardening | OCSP, CRL, CT verification |
For background on the hardening techniques:
| Check | What it proves |
|---|---|
| OCSP valid | Certificate wasn't revoked at fetch time |
| CRL checked | No delayed revocation issues |
| CT logged | Certificate was publicly issued (not secret/misissued) |
- 06-encryption-freshness: Advanced — encrypted storage with rollback protection
- 07-lightclient: Advanced — verified blockchain state