Good paper so far but I wonder whether we got the final version of it.<p>In the Confidential AI section we encounter ??? as if there is an incomplete thought or more to be added here.<p>>The enclave may, for example, enforce differential privacy by limiting the number of times the model is queried and adding noise to their results. ????<p>I thought this might be a one-off but I made it into the Key Management and Attestation Services section and found several more clustered.<p>>The TEE may then use these credentials to access tenant data. It may, for example, present a token issued by the attestation service to obtain the current decryption key from an HSM. ????<p>This one even has an incomplete sentence at the start.<p>>Thus, the service can support precise, stateful policy statements of the form, ???This task must run within an SGX enclave, on an Intel SGX v2.1 platform, deployed in the German Azure data center, in a VM allocated to the tenant, supported by certificates that are valid as of today,??? rather than just, ???This task must run within an enclave.???<p>Near the end in the Code Transparency discussion there is another case where perhaps they intended to phrase something differently.<p>>The code transparency service can also be used to mitigate software supply chain?? attacks, because it provides auditable provenance and chain-of-custody for a software bill of materials (SBoM).<p>There is a lot of great information in this paper about the direction that is currently being taken to build a system where cloud data can be reliably guaranteed to be encrypted and protected from unauthorized access using hardware and software tools. I am no expert on this but I do follow emerging trends and research just for the opportunity to learn outside my own discipline.<p>I see in the biographies that most of the authors are associated with Microsoft. Perhaps the corrected version of this will come on the next Patch Tuesday? (LOL)<p>That is not intended as a knock on Microsoft. I have used Microsoft OSes, software tools, and hardware (still use a Windows Phone in fact) since the mid-1980's when I was in college. When I saw Russinovich on the author list I knew that the quality of the work would be pretty high. I have a high level of trust in him and the tools that he has built over the years.