# Concepts A **workload identity** is the specific software running in an enclaved virtual machine you want to check. That is, you need to ensure it's running on a machine precisely as intended, including (a) data and code are concealed from the underlying infrastructure operator, and (b) data and code are free from unauthorized modifications. The checklist covers different aspects, or **identities**, of the setup. This could include checks about: * physical machine ("platform") * basic software that starts the computer ("firmware") * specific programs, modules, or drivers ("workload") * any extra details about the environment ("metadata") The **policy** is like a checklist you create beforehand for the workload identity. It lists all the claims you expect to be true about the workload running on for it to be considered safe and trustworthy. The policy is compound of the 4 identities — platform, firmware, workload, metadata — and policies describing how to verify an identity claim. Additional, objects for attestation life cycle management are introduced. They include **annotation** to add semantics to attestation reports, **log** for programatic auditing/reporting, and time-based one-time password (**TOTP**) allowing for fully automated registration of machine identities. | JSON Object | Description | | ----------- | ------------------------------------------------------------------------------------------------------------------------ | | Annotation | Key-value store to map cryptographic with human readable report data | | Attestation | Process of proving a workload fullfills the identity claims | | Identity | Claims related to the hardware platform and software computing base, which can be compound to form the workload identity | | Logs | Audit logs to trace attestation requests | | Policy | Rules determining what identity claims need to be fulfilled in the identification of workload | | TOTP | Time-based one-time token to update the attestation |