Allow proxy-client with CVM attestation without TLS client authentication #65
Description
Currently we have the restriction that if the client wishes to provide a CVM attestation, (any attestation type besides none) they must have enabled TLS client authentication and have a CA-signed TLS certificate.
This restriction should be removed.
Why this is needed
For Buildernet node to Builderhub communication, the Buildernet node cannot generate it's TLS certificate until it retrieves it's domain name from Builderhub. Builderhub currently needs to be able to check an attestation before providing the domain name. This creates a chicken-and-egg problem where an attested channel cannot be established until we have an identity for the node, but we need an attested channel in order to get one.
Why this is still secure - and what are the trade-offs
Since the session exporter is used in the attestation and the server is authenticated, the attestation is bound to the session and MITM is not possible. However the long term identity of the client is not established (we know only that they are able to produce a valid attestation). That is, there is no way of associating subsequent sessions with the same identity. This can be somewhat mitigated by IP address checking by Builderhub.