On 10/10/06, Brian Gladman <brg gladman.plus.com> wrote:
> I haven't been keeping up to date with this trusted
computing stuff over
> the last two years but when I was last involved it was
accepted that it
> was vital that the owner of a machine (not necessarily
the user) should
> be able to do the sort of things you suggest and also
be able to exert
> ultimate control over how a computing system presents
itself to the
> outside world.
>
> Only in this way can we undermine the treacherous
computing model of
> "trusted machines with untrusted owners" and
replace it with a model in
> which "trust in this machine requires trust in its
owner" on which real
> information security ultimately depends (I might add
that even this
> model has serious potential problems when most machine
owners do not
> understand security).
>
> Does anyone know the current state of affairs on this
issue within the
> Trusted Computing Group (and the marketed products of
its members)?
1. The issue is still moot at present. We are a long way
from where
open, public, remote attestion will be possible. See this
diagram from
the Trousers open-source TPM software stack project which
shows which
pieces are still missing:
http://trousers.sourceforge.net/remote_attestation_de
ps.png
There is actually another important piece missing from that
diagram,
namely operating system support. At present the
infrastructure would
only allow attestation at the OS-boot level, i.e. you could
prove what
OS you booted. It's a big step from there to proving that
you are
running a "safe" application, unless the service
would require you to
reboot your machine into their OS every time you want to run
their
client.
2. Not an insider, but I haven't heard anything about
serious efforts
to implement Owner Override or similar proposals. Instead,
the
response seems to be to wait and hope all that fuss blows
over.
3. What little evidence exists suggests that TCG is going in
the
opposite direction. The 1.2 TPM is designed to work with
Intel's
Lagrange Technology which will add improved process
isolation and late
launch. This will make it possible to attest at the level of
individual applications, and provide protection against the
local user
that a plain TPM system can't manage. 1.2 also adds a
cryptographically blinded attestation mode that gets rid of
the ugly
"privacy ca" which acted as a TTP in 1.1, and
which will make it
easier to move towards attestation.
4. Software remains the biggest question mark, and by
software I mean
Microsoft. They have said nothing about attestation support
in Vista.
Given the hostile response to Palladium I doubt there is
much
enthusiasm about jumping back into that crocodile pit. It
doesn't seem
to be stopping HD-DVD from moving forward, even though there
is no
credible probability of an attestation feature appearing in
the time
frame needed for these new video product introductions.
Without a driving market force to introduce attestation, and
tremendous social resistance, the status quo will probably
prevail for
another couple of years. By that time LT will be available,
TPMs will
be nearly universal but used only for improved local
security, and
perhaps some tentative steps into attestation will appear.
The initial
version might be targeted at corporate VPNs which will
prevent mobile
employees from connecting unless their laptops attest as
clean. This
would be an uncontroversial use of the technology except for
its
possible implications as a first step towards wider use.
Whether we will eventually ever see the whole model, with
attestation,
process isolation, sealed storage, and trusted i/o path all
leading to
super-DRM, is very much an open question. So many barriers
exist
between here and there that it seems unlikely that this will
be seen
by anyone as the right solution to that problem, by then.
CP
------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com
|
