Mike Rosing wrote:
Who owns PRIVEK? Who controls PRIVEK? That's who own's TCPA.
PRIVEK, the TPM's private key, is generated on-chip. It never leaves the chip. No one ever learns its value. Given this fact, who would you say owns and controls it?
And then there was this comment in yet another message:
In addition, we assume that programs are able to run "unmolested"; that is, that other software and even the user cannot peek into the program's memory and manipulate it or learn its secrets. Palladium has a feature called "trusted space" which is supposed to be some special memory that is immune from being compromised. We also assume that all data sent between computers is encrypted using something like SSL, with the secret keys being held securely by the client software (hence unavailable to anyone else, including the users).
Just how "immune" is this program space? Does the operator/owner of the machine control it, or does the owner of PRIVEK control it?
Not much information is provided about this feature in the Palladium white paper. From what I understand, no one is able to manipulate the program when it is in this trusted space, not the machine owner, nor any external party. Only the program is in control.
So the owner of PRIVEK can send a trojan into my machine and take it over anytime they want. Cool, kind of like the movie "Collosis" where a super computer takes over the world.
No, for several reasons. First, PRIVEK doesn't really have an owner in the sense you mean. It is more like an autonomous agent. Second, the PRIVEK stuff is part of the TCPA spec, while the trusted space is from Palladium, and they don't seem to have much to do with each other. And last, just because a program can run without interference, it is a huge leap to infer that anyone can put a trojan onto your machine.
The more I learn about TCPA, the more I don't like it.
No one has said anything different despite the 40+ messages I have sent on this topic. Is this because TCPA is that bad, or is it because everyone is stubborn? Look, I just showed that all these bad things you thought about TCPA were wrong. The PRIVEK is not controlled by someone else, it does not own the trusted space, and it allows no one to put a trojan onto your machine. But you won't now say that TCPA is OK, will you? You just learned some information which objectively should make you feel less bad about it, and yet you either don't feel that way, or you won't admit it. I am coming to doubt that people's feelings and beliefs about TCPA are based on facts at all. No matter how much I correct negative misconceptions about these systems, no one will admit to having any more positive feelings about it.